This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
AppSecEU08 HTML5
From OWASP
Would you like fries with that?
-- a security-minded reader's guide to HTML5
HTML5 resources
- HTML 5 editor's draft
- HTML 5 publication notes
- Web interface to specification changes
- Major changes as a twitter feed
- HTML Working Group Home Page
Specific parts of the specification that were mentioned during the talk:
- Browsing contexts; navigation policy
- Origin
- Custom protocol and content handlers
- Offline Web Applications
- Structured client-side storge
- Cross Document Messaging (aka postMessage)
- server-sent DOM events
- Network connections
Also of interest, but added even more recently:
Cross-domain XMLHttpRequest
Note that the "access-control" specification provides a mechanism for authorizing exceptions to the same-origin policy. How that authorization (and the data retrieved) is used isn't actually specified. For XMLHttpRequest, the governing specification is XMLHttpRequest Level 2. Don't read one without the other.
Also relevant:
- IE Team's proposal for Cross Site Requests (XDomainRequest)
