Mohamed Sanaulla wrote:First, a big thanks to Carsten Eilers for being here to promote the book HTML5 Security.
Mohamed Sanaulla wrote:The winners are:
qunfeng wang
steve claflin
Preethi Natarajan
phillip smith
Jeanne Boyarsky wrote:Welcome Carsten!
Henry Wong wrote:
This week, we're delighted to have Carsten Eilers helping to answer questions about the new book HTML5 Security.
The promotion starts Tuesday, April 16th 2013 and will end on Friday, April 19th 2013.
We'll be selecting four random posters in this forum to win a free copy of the book provided by the publisher, Developer.Press.
Preethi Natarajan wrote:Hi
I want to allow only one email ID in text box using java script validation with HTML.
for example: abc@gmail.com multiple email should not allow.
I'm new to Javascript. If any one have idea then please share it.
Thanks,
Preethi
steve claflin wrote:Sorry about being not very specific - I was thinking of Ajax requests, and the types of preventative measures like that discussed in
http://jazoon.com/portals/0/Content/ArchivWebsite/jazoon.com/jazoon09/download/presentations/7560.pdf (page 29)
or
http://www.denimgroup.com/media/pdfs/DenimGroup_Web20Security_AJAXWorld_20070321.pdf (page 23)
steve claflin wrote:From other posts I've seen (plus the number of sites I go to that now append a junk parameter to the end of the request urls if I view my network traffic), I've been assuming that if the server and I both agree on what the "unpredictable" component is, and it was determined uniquely for this session, then someone reading the code in advance won't know what url we'll actually be using. But, the knowledge of that extra value is still going to be somewhere in the code, like held in a variable (or maybe using a function to adjust the url). So, if they can inject JS code based on the existing code, then they could see that token, or invoke the url-adjusting function, unless those elements aren't part of the window object.
Scott Mattocks wrote:Are there no new technologies available with HTML5 that isolate the run time environment or help make it easier to filter unwanted characters out of data?
Michael Cohen wrote:Carsten,
Thanks, yes encryption is hard in the browser without saving some sort of key. What do you think of the functionality that browsers like Chrome provide to keep data secure? Have you played with Chrome's local storage that's available to browser extensions? I'd love to hear your take.
Thanks,
Mike
Michael Cohen wrote:How can HTML5 be leveraged with encryption?
Michael Cohen wrote:Also where's the safest place to store data? Local storage?
Michael Cohen wrote:Is there a way to prevent script injection?
steve claflin wrote:The current thinking is that urls should be unpredictable. But, it seems to me that any logic to do that is going to have some predictable path to find out what the "extra" information is. It would have to be in a JS variable at some point, and then injected script could access it.
That leads me to think that any code dealing with that unpredictability ought to be wrapped in a self-executing anonymous function in order to provide a variable space that isn't accessible from the outside. Is that a reasonable conclusion, or is there some other way to ensure that the logic related to the token can't be accessed?
Scott Mattocks wrote:If I were to build a game in HTML5 that uses WebSockets for communication, how can I secure the communications and make sure that one player doesn't inject stuff into the other users' games?
Brent W Farrell wrote:I have been reading for awhile that html 5 will be a big security improvement since it will reduce the reliance of rich web applications on things such as Adobe flash which have traditionally had security problems. But won't html 5 just shift these security problems from plugins to the browser itself once they all are fully implementing the new apis? Its not like flash is going to go away. We still deal with java security flaws in applets. Won't HTML 5 just introduce yet more attack surface since the browser will expose things such as local storage and we will still have to deal with the problems in flash?
qunfeng wang wrote:Hi Carsten,
I don't find much information about what the book about. Would you please talk about the scope of your book? Does it take the security topic as a whole web application, or front-end only?
Stuie Clarky wrote:Hi there,
Just wondering what you feel is the most significant update in HTML5 in regards to making sites more secure?
S