The Emperor's New APIs: On the (In)Secure Usage of New Client-Side Primitives

Date Added: May 2010
Format: PDF

Several new browser primitives have been proposed to meet the demands of application interactivity while enabling security. To investigate whether applications consistently use these primitives safely in practice, the authors study the real-world usage of two client-side primitives, namely postMessage and HTML5's client-side database storage. They examine new purely client-side communication protocols layered on postMessage (Facebook Connect and Google Friend Connect) and several real-world web applications (including Gmail, Buzz, Maps and others) which use client-side storage abstractions.