RVAsec 2013: Mike Shema -- JavaScript Security & HTML5
Slides: http://rvasec.com/slides/2013/Shema-JavaScript_Security_and_HTML5.pdf Modern web apps that leverage HTML5 APIs rely heavily on JavaScript. But the mixture of JavaScript, poor programming, and insecure server-side code makes the web an Orwellian place where "JavaScript is Harmless". HTML5 introduces security controls like sandboxes, Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP). Each of these contribute to a more secure browsing experience, but only if implemented properly — and only against the flaws they were designed to mitigate. If you've been confused whether HTML5 improves security or not, this presentation will clarify what to expect from web apps. It lists the steps necessary to improve your site's JavaScript and prepare it for a smooth transition to better security with CSP, with demonstrations on why the effort to refactor your code is worth taking. It covers the risks and benefits associated with other HTML5 APIs and how they impact the user agent and user's privacy. Finally, it highlights areas where browser security still lags, and offers some suggestions for new techniques to improve browser security against more than just XSS.
Slides: http://rvasec.com/slides/2013/Shema-JavaScript_Security_and_HTML5.pdf Modern web apps that leverage HTML5 APIs rely heavily on JavaScript. But the mixture of JavaScript, poor programming, and insecure server-side code makes the web an Orwellian place where "JavaScript is Harmless". HTML5 introduces security controls like sandboxes, Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP). Each of these contribute to a more secure browsing experience, but only if implemented properly — and only against the flaws they were designed to mitigate. If you've been confused whether HTML5 improves security or not, this presentation will clarify what to expect from web apps. It lists the steps necessary to improve your site's JavaScript and prepare it for a smooth transition to better security with CSP, with demonstrations on why the effort to refactor your code is worth taking. It covers the risks and benefits associated with other HTML5 APIs and how they impact the user agent and user's privacy. Finally, it highlights areas where browser security still lags, and offers some suggestions for new techniques to improve browser security against more than just XSS.