Difference between revisions of "AppSecEU08 HTML5"

From OWASP
Jump to: navigation, search
(New page: = Would you like fries with that? = ''-- a security-minded reader's guide to HTML5'' * [http://www.w3.org/2008/Talks/0521-owasp-html5-tlr/0521-owasp-html5-tlr.pdf Slides (pdf)] == HTML5...)
 
(Cross-domain XMLHttpRequest)
Line 30: Line 30:
 
== Cross-domain XMLHttpRequest ==
 
== Cross-domain XMLHttpRequest ==
  
*
+
* [http://dev.w3.org/2006/waf/access-control/ access-control editor's draft]
 +
* [http://dev.w3.org/2006/webapi/XMLHttpRequest-2/ XMLHttpRequest Level 2 editor's draft]
 +
 
 +
Note that the "access-control" specification provides a mechanism for authorizing exceptions to the same-origin policy. How that authorization (and the data retrieved) is used isn't actually specified. For XMLHttpRequest, the governing specification is XMLHttpRequest Level 2.  Don't read one without the other.
 +
 
 +
Also relevant:
 +
 
 +
* [http://lists.w3.org/Archives/Public/public-appformats/2008Mar/0017.html IE Team's proposal for Cross Site Requests] (XDomainRequest)

Revision as of 05:32, 27 May 2008

Would you like fries with that?

-- a security-minded reader's guide to HTML5

HTML5 resources

Specific parts of the specification that were mentioned during the talk:

Also of interest, but added even more recently:

Cross-domain XMLHttpRequest

Note that the "access-control" specification provides a mechanism for authorizing exceptions to the same-origin policy. How that authorization (and the data retrieved) is used isn't actually specified. For XMLHttpRequest, the governing specification is XMLHttpRequest Level 2. Don't read one without the other.

Also relevant: