Html 5 Security Leverages cross- domain Messaging

HTML5 is one of the Upcoming technology for the forthcoming generation web app development that has brought exciting new features of the web world. HTML5 applications are far and wide used in the mobile application world. But along with the peculiarities, HTML5 has brought vivid new attack vectors as well.

Before moving further with the security concepts of cross domain messaging, let us get into the basics of how cross domain messaging is carried out in HTML5.

Cross domain messaging using postMessage() Method

Because of some root policy restrictions before HTML5, Earlier sending of messages between two host was only possible if both use the same protocol, host and port no.

But, with the commencement of HTML5 , all those restriction are faded and one can pass out messages across the domain constrain without taking care of the policy imposed on HTML5 earlier.

Thanks to HTML5, by introducing a method named postMessage() that let you pass messages between two frames regardless of same protocol,host and port .

Syntax:

otherWindow.postMessage(message, targetOrigin, [transfer]);

1)Message:

Consist of Data to be sent to the other window.

Here data is serialized using Structured Clone algorithm that allows you to pass large no data object regardless of serializing them .

2)TargetOrigin:

Specifies the origin of other window for the event to be dispatched either “*” or URI.

If at the time of dispatch parameters like Scheme , hostname or port no are not similar as provided in target origin then event will not be dispatched.

3)Transfer:

Case: Optional

It is the queue of transferable objects along with the message whose ownership are in hands of destination.

 

Now, for better digestion of cross-domain messaging concept lets setup an Practical lab to illustrate it briefly.

 

 

Practical Approach of Cross-domain Messaging:

 

 

Case A: http://localhost:8383/                                                                          Case B : http://localhost/

 

                                                                    

As we can see there are two cases Case A and Case B with both located on different port.

As you can see from above screenshot a message is been sent from Case A to Case B and is received simultaneously.

But when during sending of message if Case A sets the target origin as “*” as the receiving window Case B is listening for incoming request anyone can listen to request and load it into iframe . So if we want particular window to listen for request call a checking of origin is done as below:

function receiveMessage(e) {

if (e.origin !== "http://localhost:8383")

return;

do something..!

}

Why the need for Cross-Domain arises?

Cross Domain Solution distinct information to users without disclosing the entire confidential data at multiple levels, which can make it susceptible to unintended revelations.

The hazard of destruction is subjectively confirmed in the lightroom of potential program flaws.

Cross Domain Solutions caters information to critical users who are in need of it while blocking access to classified data from unauthorized users; in the process of guarding networks from being maliciously or unintentionally suffering data corruption.

Cross Domain Solutions has made the process of dividing data among coalition buddies in combat extremely streamlined.

Some of the areas where immense need of Cross-platform messaging is in demand are :

Cyber-security                                                                                              Supply Chain Security

Cloud Assurance                                                                                             Defense System

Cross Domain Conflicts& Solutions

The major Issues paced-off by Cross Domain Solutions are:

• Enhancing the ability of defense systems at lowered cost of development, attainment and operation by creating multi-level secure systems operating various simultaneous applications on single processor.

• Should be able to provide higher mortality, grit, peculiarity, fluidity, connectivity, security, safety at reduced purchase, implementation and technical training cost expense.

   

  From one of the resource a comparison is been conducted about implementation of cross-platform app in various platform as below:

As you can see above, there are few important features which are possible in Native apps but not possible in HTML5 apps. For eg. in future if you would like to add features like image capturing, contacts or push notification in your app then it won’t be possible in HTML5 apps. Also HTML5 apps are not secure as they use Shared SQL database in device.

I would recommend you to consider all above key things and then take a decision that will help you to make the best app with one of the top app development companies that is Hyperlink Infosystem. You can also hire best app developers India for your mobile app development. Contact us now for any inquiry or free quote.