CRV2 ClientSideCodeHTML5

=Code review on HTML5==

HTML5 was created to replace HTLML4, XHTML and the HTML DOM Level 2. Main purposes of this new standard is to provide dynamic content without the use of extra proprietary plugins such as Silverlight. This allows designers and developers to create exceptional sites providing a great user experience without having to install any additional plug-ins into the browser. Ideally users should have the latest web browser installed but this does not happens as regularly as security experts advice, therefore the website should implement 2 layer controls, one layer independent from Browser type, second, as an additional control.

What and where to look for in the code
Many vulnerabilities are indeed patched through the implementation of proper HTTP Headers. Part of these vulnerabilities include Cross Site Scripting, Click jacking and Cross Site Forgery among others. For more info regarding these vulnerabilities, please consult the OWASP Top 10. Therefore the code reviewer must focused on looking for specific implementation of certain features and code

Clickjacking
To avoid click jacking of the website, look for implementation of X-Frame-Options .Keep in mind that this code might not work on legacy browsers. The website http://erlend.oftedal.no/blog/tools/xframeoptions/ does a compatibility test on the browser’s x-frame-options support. For more info on Clicjacking/Jacking/Framing please refer to chapter Jacking/Framing Implementation of the code is also dependent on the type of web server technology used, therefore the code might be implemented in configuration files on the server side scripts (for example apache does this in the httpd.conf file) Header always append X-Frame-Options SAMEORIGIN

PHP


IIS (.NET)
 ...

    

... 

Implementation of HTML5 Sandbox attribute
It is possible to set the sandbox attribute and this helps set restrictions on content hosted in the iframe. The value must be correctly implemented by setting an unordered unique space-perated token which are ASCII case sensitive, these are allow-forms, allow-pointer-lock, allow-popups, allow-same-origin, allow-scripts, and allow-top-navigation.

Modern browsers including Chrome, Firefox, and IE10 Platform Preview are based on the W3C IFrame Sandbox Attribute. 

Keep in mind that these security restrictions can be easily lifted by placing allow tokens in the attributes value such as this:



For more info on correct implementation of HTML5 Sandbox code please visit http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#the-iframe-element