Gunnar Assmy - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What HTML5 security measures do enterprises need to take?

With HTML5 taking over as the preferred technology over Adobe Flash, Flash content's days are numbered. Expert Michael Cobb discusses HTML5 security and features for developers.

Critics have been predicting the end of Flash for a while, and with Adobe's recent moves to rename its Flash Professional CC suite -- now Animate CC -- and support development of HTML5, it looks like that day may be arriving soon. What do these recent developments mean for the future of Flash, and what should developers keep in mind about HTML5 security as they plan to transition away from Flash?

Rebranding a product is often a sign that a vendor knows it's losing appeal or relevance in the marketplace. Changing the name of Flash Professional CC to Animate CC is evidence that Adobe recognizes the need to accommodate the growing adoption of the open source markup language HTML5 by developers who want to deliver dynamic multimedia Web content. Many browsers now disable Flash by default, making HTML5 the obvious choice for enterprises that want to reach the widest audience across all devices, as users wouldn't have to make any configuration changes for it to work.

Flash has long been plagued by security flaws. Although Adobe said it will continue to develop security and feature updates for Flash, enterprises that still need to support existing Flash content, such as Web-based games and streaming video services, should begin planning the process of transitioning away from Flash to HTML5 sooner rather than later. This will prevent a situation where developers are suddenly forced to migrate Flash content if Adobe announces its end of life. Replacing a site's applications and code with HTML5 is a big undertaking, not just in ensuring a similar or better user experience, but also in keeping the user's system and data secure. A rushed migration has the potential to introduce HTML5-related vulnerabilities, as the standard allows far more access to a computer's resources through increased local storage and offline caching, as compared to its predecessor HTML4.

Enterprises must ensure their developers fully understand the new functionality and HTML5 security features and how to implement them. For example, the Same Origin Policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical browser security control for isolating potentially malicious documents. HTML5 security, however, extends support for cross-origin resource sharing (CORS), which relaxes the Same Origin Policy by allowing a Web server to let its resources be accessed by a Web page from a different domain. Unless developers know how CORS works, they can easily make erroneous assumptions and allow attackers access to content that should not be shared. The same holds true for HTML5 cross-document messaging. It is secure when properly used, but if developers don't check to ensure messages originate from their own sites, malicious code from other sites can spoof rogue messages.

The fact that HTML5 is a more flexible and integrated technology means there is a greater potential risk of privacy invasion and data loss. Existing functionality such as data validation checks and filters will need to be reviewed during the migration process, as new HTML5 security features and attributes need to be taken into account to ensure all data sent via the browser is checked. HTML5 provides a path to standardization, and by removing the need for proprietary third-party multimedia plug-ins like Flash and Silverlight, it can close a popular attack vector exploited by cybercriminals. However, it's still an evolving standard and not immune to vulnerabilities; it's certainly not a security cure-all. If developers write HTML5 code without a solid understanding of the security and privacy implications of its various features, they will just be replacing the vulnerabilities of insecure add-ons like Adobe Flash with new opportunities for cybercriminals.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Compare Flash against HTLM5 in terms of security and traffic

Learn if HTML5 mobile apps could present a security concern for your enterprise

Find out more about preventing an HTLM5 malware obfuscation technique

This was last published in April 2016

Dig Deeper on Web application and API security best practices