Security Risks in HTML5
HTML5 has been a revolutionary change in the field of web development making websites more visually attractive and interactive. It has been the perfect answer to the growing demand for multi-device user needs. It has found great acceptance in the developer’s community with most businesses opting for HTML5 powered websites. One of the greatest advantages of HTML5 is the fact that it has brought in a native app life feeling to websites bringing most of the features and functionalities to the client instead of the server as had been the norm for years.
But with all these advantages HTML5 also has its own drawbacks. Security is one such issue as vulnerability have been unearthed that pose serious risks to a web and mobile development. It is vulnerable to stealth and silent attacks often compromising the privacy of the users. The vulnerability is more in the case of smartphones and tablets where the concept of traditional browser-based browsing isn’t popular. HTML5 powered apps can pose serious dangers to the client as well as the server. Here we shall discuss some of these risks that every developer should be aware of.
Risks In Data Storage
One of the biggest risks that HTML5 poses is to do with the enhanced data storage capabilities. We have already mentioned that HTML5 introduces a new system where most of the data is stored on the client’s side. Developers term it as one of the biggest beauties as well as dangers of the new markup language. Earlier versions of HTML could only store session information or login information in the form of cookies. HTML5, on the other hand, has introduced sessionStorage, localStorage, and client-side databases that allow a vast amount of data to be stored on the client’s side that provides easier access of information even in the offline mode. This feature allows websites to offer uninterrupted experience to the users even when connection snaps for a short time span. This opens a window of opportunity for an attacker as the data can easily be retrieved and manipulate and can be uploaded back to the server to attack others. Along with this, there are also many risks when it comes to temporary storage through the issues isn’t as grave as permanent storage that we have so far discussed.
Offering Access To Camera, GPS, and Microphone
In a bid to make websites more interactive many web developers have extensively used imaging, location, and voice-based functionalities while developing websites. Many web-based applications require the users to grant access to their cameras, microphones and GPS systems. For example, there are sites that require users to authenticate their identity using an image or their voice. The Geo-location feature in HTML5 offers highly customized search results based on a user’s location. Most of the users are likely to grant access to such services without considering the security and privacy implications. An attacker can easily make use of these devices on an HTML5 powered website and compromise and peek into the activities and location of the user with them even being aware of it. What’s worrying is the fact that on most occasions the user won’t even be aware of the fact that his or her security has been compromised.
Third Party Code
Another security concern for developers in HTML5 comes from the use of third-party codes. HTML5 is known to offer dynamism to web development with the use of third-party codes and this opens potential vulnerabilities for the website. In the previous versions of the markup language JavaScript had limited usage in requesting resourced from the domain. For instance, the previous versions of HTML didn’t allow pages from one domain to pass or access data in pages from another domain. This prevented a malicious site from interpreting the data from a legitimate site in the form of popups. In HTML5 JavaScript is requesting resources from different domains in a new method known as cross-origin resource sharing (CORS). Here JavaScript can access information from multiple domains at the same time. This allows a website to offer information from multiple domains at the same time. However, HTML5 doesn’t have any mechanism to check the origin of the content. This offers a great opportunity for the hackers to access information both from the server as well as the clients.
All these security vulnerabilities do have their own remedies and it depends on the skills of the developers how he or she can develop a website negotiating these risks. HTML5 presents a wonderful opportunity for a developer to expand into the new horizons of web development and developers are making use of this technology to take web development to a new level and offered more opportunity to the businesses with their users and vice versa.