HTML5 Security

Monkey Archive Forums/Digital Discussion/HTML5 Security

Soap(Posted 2013) [#1]
- Weird double post?


Soap(Posted 2013) [#2]
For you HTML5 focused game devs, this article, and especially the links provided are good to read: http://elitistinen.newgrounds.com/news/post/841600

http://html5sec.org/
https://code.google.com/p/html5security/
http://www.andlabs.org/html5.html
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet


Paul - Taiphoz(Posted 2013) [#3]
these are not Html5 Issues, they are Internet Issues, people hackers have been abusing sql injections, cross site scripting and malicious code on the net since the dawn of time, the language is irrelevant.

Html5 cannot stop xss, it cannot stop sql injections , not without removing the ability to call external websites, and that's something that should not be locked down.

What this does highlight is that NG are idiots who do not vet their content submissions, no sane web host would allow a user to upload raw php and execute it, nor should they allow anyone to upload any form of persistent code from any language and execute it, they are simply begging to get messed with.

This post by that guy should have been called something like "web hosts are dumb" not the dangers of html5

if in doubt, run it in a sandbox.


Goodlookinguy(Posted 2013) [#4]
Taiphoz, I had the exact same thought after I visited the page earlier. They were talking about general web security issues that I dealt with long before HTML5 was even a thing.

As for the php comments, I agree and disagree. When in the hands of a skilled programmer, php is just fine. In the hands of the majority of people who use it, it's a security breach waiting to happen.


Paul - Taiphoz(Posted 2013) [#5]
Yeah with php it's very easy to be sloppy and when it comes to a language who's purpose is serving dynamic content, sloppy is one thing you really cant afford to be.


Soap(Posted 2013) [#6]
Fair enough - they web security issues as a whole and not exclusive to HTML5. People who are interested in focusing on HTML5 games are likely willing to host other people's games on their sites, which makes this relevant.

Don't host HTML5 games on your site without looking at them very carefully. The main login cookies for monkeycoder are set to the www.monkeycoder.co.nz subdomain and the monkeycoder.co.nz apex domain. If the cookies were set to the .monkeycoder.co.nz domain it would mean that the subdomain where the apps are stored apps.monkeycoder.co.nz would have access the cookie's information.


Paul - Taiphoz(Posted 2013) [#7]
with Html5 anyone using or hosting should be using the iframe sandbox, if NG are not using the sandbox then they are even more dumb than I already think they are.

Common practice is to turn on Sandbox and then only activate the capabilities that the app actually needs.

<iframe sandbox="" src=""> or if your app needs a specific thing like pop ups then you would do something like <iframe sandbox="allow-popups" ....

Never actually thought to check if monkeycoder uses the sandbox but I assume it does.


Paul - Taiphoz(Posted 2013) [#8]
ok so this site does not use the sandbox, I am sure there is a good functionality reason for them to not use it, I hope :)