This chapter discusses the current security status of the Web and the technologies around it. The future of the Web, with standard technologies (CSS3, HTML5) and plug-in security (Flash and Java), is discussed. HTML5 introduces several new tools to solve some of the most problematic security issues plaguing the Web today—among them seamless iframes as well as sandboxed HTML to solve cross-site scripting issues, and CORS and UMP to solve Cross Site Request Forgery. Other extensions, such as X-Frame-Options, try to directly solve UI redressing issues. Strict Transport Security tries to solve some types of mixed content problems, and Content Security Policy tries to create a browser security policy to solve mixed content problems as well, together with cross-site scripting and UI redressing. Since these changes are heavily peer-reviewed and analyzed long before their adoption and implementation, they can be considered to have some level of security maturity when they are widely adopted. In contrast, plug-ins are released on a quarterly basis that implement scary new features which can be used to break the Web security model. Plug-ins that enhance the capabilities of normal Web browsing are sometimes used to force the adoption of nonstandard features to the Web, and although they permit interesting and new capabilities, their consequences can be devastating. A more dynamic standards body will eliminate the need for these types of plug-ins and help to improve the overall security of the Web.
Read full abstract7-days of FREE Audio papers, translation & more with Prime
7-days of FREE Prime access