The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives

Hixie recently mentioned to me the following paper from UC Berkeley that 
includes some analysis of the Web Storage [webstorage] and HTML5 Web 
Messaging [webmessaging] specs.

The Abstract:


Several new browser primitives have been pro- posed to meet the demands 
of application interactivity while enabling security. To investigate 
whether applications consistently use these primitives safely in 
practice, we study the real-world usage of two client-side primitives, 
namely postMessage and HTML5's client-side database storage. We examine 
new purely client-side communication protocols layered on postMessage 
(Facebook Connect and Google Friend Connect) and several real-world web 
applications (including Gmail, Buzz, Maps and others) which use client- 
side storage abstractions. We find that, in practice, these abstractions 
are used insecurely, which leads to severe vulnerabilities and can 
increase the attack surface for web applications in unexpected ways. We 
conclude the paper by offering insights into why these abstractions can 
potentially be hard to use safely, and propose the economy of 
liabilities principle for designing future abstractions. The principle 
recommends that a good design for a primitive should minimize the 
liability that the user undertakes to ensure application security.

I mention this in case this article identifies issues the specs should 
or must address.

-Art Barstow


Received on Monday, 17 January 2011 13:17:29 UTC