New browsers, new HTML, new threat?

With the recent announcement of the draft specifications for HTML 5 [1,2] has come a fair amount of excitement in the web developer community, particularly as we start seeing more browsers offering support (Firefox 3, Safari 3.1, IE8 for example). So, what does HTML 5 bring to the table and how might this new specification affect web threats (if at all)?

A detailed list of the differences between HTML 4 and HTML 5 specifications can be found here. Unsurprisingly, a lot of the new features are design or document structure oriented, including new elements and attributes that have been long awaited. These provide a number of benefits ranging from better support for embedding video to better data handling in input forms. Somewhat ‘behind the scenes’ is one of the most important new features, which is also the one of most interest from a threat perspective – provision for client-side storage.

Historically something of a bugbear, data storage on the client gets some attention in HTML 5. Simple, structured data can now be stored using sessionStorage and localStorage attributes [3]. Only pages from the same origin, in the same window can access sessionStorage data, whereas localStorage data is designed to be accessed across windows, and between sessions (with the same origin policy applied).

Data can be cleared via the regular cleanup options provided by the browser. For example, an additional option (highlighted) is visible within the ‘Clear Private Data’ dialog in Firefox 3 (beta4):


For those interested in user-tracking, these new storage attributes are attractive. The specification does include a discussion of steps browsers could take in order to help prevent user-tracking, but it is likely we will see targeted marketing taking advantage of this feature.

This is not where it ends with client-side data storage. HTML 5 also allows for local data storage within SQL databases [4]. Client-side SQL injection attacks – an enticing prospect for the attacker.

Increased provision for client-side storage is likely to have a large impact upon web applications that we use (in particular facilitating their offline use). However, the technologies may in turn significantly broaden the scope for attackers. As ever, users will be reliant upon the browsers to implement the specifications correctly, consistently and with security in mind. One thing is for sure, the attackers will already be investing energy into how some of the new features could be exploited.