Google ‘s ad that ended flash was the final nail in the coffin for Flash.
Even before that, famous technocrats like Steve Jobs spoke out against Flash.
With the demise of flash and the rise of HTML5, a new era has ushered in better looking and better performing websites that are compatible with mobile and PC alike.
Transferring and receiving data has also become much easier than before.
However, it presents unique challenges that must be won.
The advantage of this is that html5 takes cross-browser support and functionality to a whole new level.
Certain browsers don’t support individual
site elements and it’s frustrating having to change site elements to keep up with appearances.
HTML5 drops that requirement as all modern browsers support it.
Cross-origin Resource Sharing
Cross-Origin Resource Sharing (CORS) is one of the most influential features of html5 and also one that heralds the greatest chance of bugs and hacker attacks .
CORS defines headers to help sites define origins and facilitate contextual interactions.
With html5 CORS silences the fundamental security mechanism in browsers called Same Origin Rule .
Under the same origin policy, a browser can allow one web page to access data from a second web page only if both web pages have the same origin.
What is an origin?
An origin is a combination of URI scheme, host name, and port number. This policy prevents malicious scripts from running and accessing data on web pages.
CORS relaxes this policy by allowing different sites to access the data to enable contextual interaction.
This can lead a hacker to gain access to sensitive data.
If you’re logged into Facebook and stay logged in and then China Phone Number visit another site, then it’s possible that attackers can steal information and do whatever they want to your Facebook account by taking advantage of the relaxed cross-origin policy.
On a slightly more lukewarm note, if a user logs into their bank account and forgets to log out, the hacker could gain access to the user’s credentials, their transactions, or even create new transactions.
Browsers, when storing user data, leave session cookies open for their exploitation.
Hackers can also intrude on headers to trigger unvalidated redirects.
Unvalidated redirects can occur when browsers accept untrusted input. This, in turn, forwards a redirect request. The untrusted URL can be modified to add an entry to the malicious site and thus launch phishing scams by providing URLs that look identical to the real site.
Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then redirect the attacker to privileged functions that they would not normally be able to access.
Here’s what developers need to be aware of to prevent these things from happening.