This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "AppSecEU08 HTML5"
(→Cross-domain XMLHttpRequest) |
|||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[AppSecEU08 | AppSecEU08]] > [[AppSecEU08#Agenda_and_Presentations_-_May_21-22 | Agenda and Presentations]] > [[AppSecEU08_HTML5 | HTML5 Security]] | |
| − | + | = Slides and Contact = | |
| − | + | Slides: [http://www.w3.org/2008/Talks/0521-owasp-html5-tlr/0521-owasp-html5-tlr.pdf Would you like fries with that?] | |
| − | + | Contact: Thomas Roessler, W3C Security Activity Lead, [mailto:[email protected] [email protected]] | |
| + | |||
| + | = HTML5 resources = | ||
* [http://www.w3.org/html/wg/html5/ HTML 5 editor's draft] | * [http://www.w3.org/html/wg/html5/ HTML 5 editor's draft] | ||
| Line 28: | Line 30: | ||
* [http://www.w3.org/html/wg/html5/#sandbox iframe sandboxing]; [http://lists.w3.org/Archives/Public/public-webapi/2008May/0326.html summary of concepts] | * [http://www.w3.org/html/wg/html5/#sandbox iframe sandboxing]; [http://lists.w3.org/Archives/Public/public-webapi/2008May/0326.html summary of concepts] | ||
| − | + | = Cross-domain XMLHttpRequest = | |
* [http://dev.w3.org/2006/waf/access-control/ access-control editor's draft] | * [http://dev.w3.org/2006/waf/access-control/ access-control editor's draft] | ||
| Line 38: | Line 40: | ||
* [http://lists.w3.org/Archives/Public/public-appformats/2008Mar/0017.html IE Team's proposal for Cross Site Requests] (XDomainRequest) | * [http://lists.w3.org/Archives/Public/public-appformats/2008Mar/0017.html IE Team's proposal for Cross Site Requests] (XDomainRequest) | ||
| + | |||
| + | Relevant work is currently occuring in the [http://www.w3.org/2006/webapi/ Web API] and [http://www.w3.org/2006/appformats/ Web Application Formats] Working Groups at W3C. A [http://www.w3.org/2007/12/WebApps-Charter-2007 proposed restructuring] of that work is currently being negotiated. | ||
| + | |||
| + | = About W3C = | ||
| + | |||
| + | * [http://www.w3.org/Consortium/ About W3C] | ||
| + | * [http://www.w3.org/Consortium/process W3C Process] | ||
| + | * [http://www.w3.org/Consortium/membership About W3C membership] | ||
| + | * [http://www.w3.org/Consortium/Member/List Current members] | ||
Latest revision as of 10:45, 27 May 2008
AppSecEU08 > Agenda and Presentations > HTML5 Security
Slides and Contact
Slides: Would you like fries with that?
Contact: Thomas Roessler, W3C Security Activity Lead, [email protected]
HTML5 resources
- HTML 5 editor's draft
- HTML 5 publication notes
- Web interface to specification changes
- Major changes as a twitter feed
- HTML Working Group Home Page
Specific parts of the specification that were mentioned during the talk:
- Browsing contexts; navigation policy
- Origin
- Custom protocol and content handlers
- Offline Web Applications
- Structured client-side storge
- Cross Document Messaging (aka postMessage)
- server-sent DOM events
- Network connections
Also of interest, but added even more recently:
Cross-domain XMLHttpRequest
Note that the "access-control" specification provides a mechanism for authorizing exceptions to the same-origin policy. How that authorization (and the data retrieved) is used isn't actually specified. For XMLHttpRequest, the governing specification is XMLHttpRequest Level 2. Don't read one without the other.
Also relevant:
- IE Team's proposal for Cross Site Requests (XDomainRequest)
Relevant work is currently occuring in the Web API and Web Application Formats Working Groups at W3C. A proposed restructuring of that work is currently being negotiated.
