HTML5 is a markup language used for structuring and presenting content on the World Wide Web.
Questions tagged [html-5]
55 questions
46
votes
3 answers
For an end-user, is HTML5/JavaScript more secure than Flash?
I’m not talking about server-side security or even necessarily XSS vulnerabilities, as these are attacks on vulnerable services and do not use any pre-existing vulnerabilities on the client side to affect an end user. They will exist as long as web…
Jonathan Gray
- 1,036
- 7
- 11
45
votes
4 answers
How can html5 geolocalisation bypass my vpn?
About two months ago I've decided to use a VPN all the time (it's launched at startup) for various reasons, privacy being the first one. But recently I realized that if you agree to share your location when an HTML5 geolocalization pops up in…
drov
- 451
- 4
- 3
40
votes
7 answers
Security risks of user generated HTML?
I am creating a website that allows people to upload HTML content.
Currently these are the tags that are banned:
Jevon
- 501
- 4
- 4
38
votes
5 answers
Is HTML5 vibrate feature a security vulnerability?
While surfing a news website on my mobile, I receive a virus infection alert warning that triggers my phone to vibrate incessantly. The alert looks like the following:
I didn't expect my phone to vibrate and the alert is able to tell me the model…
Question Overflow
- 5,220
- 6
- 27
- 48
31
votes
3 answers
What useful things can I do with the html5 "keygen" element?
There's a new* keygen element in the html5 spec. It's supported in major browsers excepting Internet Explorer and Safari.
Here's what it looks like:
24
votes
5 answers
Is HTML5 input pattern validation sufficient (or even relevant) for client-side validation?
An interesting feature of HTML5 is the attribute, which allows the browser to validate the input field's value against a regular expression provided by the developer.
Subsequently, this binds to the field's ValidityState which…
msanford
- 819
- 1
- 9
- 26
24
votes
6 answers
Alternatives to HTML's deprecated for client certs?
The keygen tag is used to make browsers generate private keys and POST the resulting CSR to the server, which can then issue a certificate. It's now been deprecated, for rather stupid reasons but that's besides the point.
So, what are the…
André Borie
- 12,706
- 3
- 39
- 76
22
votes
1 answer
How to use postMessage securely
postMessage is a primitive introduced in HTML5 that web pages can use for cross-origin communication.
What do I need to do to use postMessage securely? What are the primary security pitfalls or mistakes that I need to look out for?
D.W.
- 98,420
- 30
- 267
- 572
20
votes
4 answers
Is it safe to store password in HTML5 sessionStorage?
I am trying to improve the user experience on registration by not requiring the user to retype their password if validation on other fields fail. There are a few ways to implement this, example using session cookie and storing a hash of the password…
Question Overflow
- 5,220
- 6
- 27
- 48
16
votes
2 answers
Security of running openpgp.js in a browser with the private key in HTML5 localStorage
If I were to write a web application using openpgp.js (http://openpgpjs.org/) for creating PGP encrypted/signed messages and if I stored the user's private key in localStorage, would this be vulnerable to the same complaints about JavaScript…
Souvik Banerjee
- 163
- 1
- 4
12
votes
2 answers
Disable HTML5 battery features
HTML5 has a feature set relating to client battery status. It has been described as a privacy hole, as it can be used to track and identify web users. Research suggests the features can be used even to identify users using VPN or private browsing…
Gruber
- 1,084
- 1
- 8
- 19
12
votes
2 answers
Preventing CSRF attacks against WebSocket communications
I have read the thread about CSRF attacks in websockets (Do WebSocket-powered web apps (e.g. "comet" apps) have to worry about CSRF?) and also some more material regarding websocket security, but none of them seem to address the following issue -
Is…
user3074662
- 541
- 2
- 6
- 11
12
votes
3 answers
Elaborate websockets security
I'm interested in learning more about web sockets security. Read that web sockets were originally in Firefox, removed for security reasons and now added back in with the problem resolved:
http://news.ycombinator.com/item?id=2600022
Intial read of…
Rakkhi
- 5,783
- 1
- 23
- 47
11
votes
1 answer
Why is a "tainted canvas" a risk?
I understand the concern about a tainted canvas - the idea that the bits of an image from another site can be sent back to a malicious server. But can you explain the details of how exactly this works?
Suppose the user visits nastysite.com and…
M Katz
- 213
- 1
- 6
10
votes
3 answers
localStorage for apps over https. What expectations are there?
I run an online gradebook. To keep student data private, I transfer all data over https.
Now, I'd like to use localStorage to avoid redundant calculations and server requests. However, according to the HTML5 spec, local storage is unencrypted.
Is…
Riley Lark
- 967
- 1
- 8
- 10