close search bar

Sorry, not available in this language yet

close language selection

Introduction to HTML5 Security

Course Description

This course introduces the security model of the web and builds on top of that. The core focus of the course is HTML5, both its weaknesses and its strengths. We’ll talk about how attackers abuse legitimate interaction patterns in the browser and how to use various browser mechanisms for security. At the end, learners will have a good understanding of the security model of the web so they can spot potential security issues and implement appropriate defenses.

Learning Objectives

  • Explain the isolation boundaries enforced by modern browsers
  • Securely enable limited interactions between isolated contexts
  • Understand how UI redressing and tabnabbing attacks work and how to defend against them
  • Implement defenses to neutralize dangerous attributes of HTML5 forms
  • Understand how client-side storage mechanisms enlarge the attack surface
  • Illustrate the danger of injection vulnerabilities using payloads other than script injection.


Delivery Format: eLearning

Duration: 1 ¼ Hours

Level: Beginner

Intended Audience:

  • Architects
  • Back-End Developers
  • Front-End Developers


Course Outline

The Underlying Security Model

  • Browsing Contexts
  • The Concept of an Origin
  • Same-Origin Policy
  • Origin-Controlled Resources
  • Secure Contexts
  • Script Execution Contexts

Strong Isolation with iframes

  • Origin-Based Isolation
  • The Sandbox Attribute
  • Isolating Content from Your Own Origin with Sandboxed iframes
  • Sandboxing Content Directly

Communication Between Contexts

  • The Basics of Cross-Document Messaging
  • Cross-Document Messaging Security Considerations
  • Channel Messaging
  • Building a Client-Side Architecture

Tabnabbing and UI Redressing

  • Social Engineering Attacks
  • Tabnabbing Through window.opener
  • Traditional Clickjacking and UI Redressing Attacks
  • Drag-and-Drop Clickjacking Attacks
  • Restricting Framing as a Defense

HTML5 Form Security

  • New Form Capabilities
  • Injection Threats of Form Capabilities
  • Client-Side Input Validation

Advanced Injection Attacks

  • Dangling Markup Injection
  • Base Tag Injection
  • New XSS Attack Vectors
  • Script Gadgets

Client-Side Storage Mechanisms

  • Various Storage Mechanisms
  • The Storage Security Model
  • Security Considerations When Using Client-Side Storage


Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster