It's astonishing that 10 years of technological progress have produced web application behemoths like Facebook, Twitter, Yahoo! and Google, while the actual technology inside the web browser remained relatively stagnant. Companies have grown to billion-dollar valuations (realistic or not) by figuring out how to shovel HTML over HTTP in ways that make investors, advertisers, and users happy.
The emerging HTML5 standard finally breathes some fresh air into the programming possible inside a browser. Complex UIs used to be the purview of plugins like Flash and Silverlight (and decrepit, insecure ActiveX). The JavaSc ript renaissance seen in YUI, JQuery, and Prototype significantly improve the browsing experience. HTML5 will bring sanity to some of the clumsiness of these libraries and provide significant extensions.
Here are some of the changes HTML5 will bring and what they mean for web security
Cross-Origin Resource Sharing
An HTML5 feature with possibly the most potential for mistakes is the Cross-Origin Resource Sharing (CORS) that relaxes the fundamental security mechanism of a browser, the Same Origin Rule. CORS isn't an arbitrary change; it's a step towards standardizing what developers are already trying to do in order to build higher-performance sites.
Basically, CORS defines a group of client and server headers that enable a site to define origins that are allowed to interact with another origin's context. It also provides granularity of lifetime and request methods for this site-defined access control. The following headers s how how simple this is to...
