A repository of all HTML5 Security resources is available here

Web SQL

A detailed article on Web SQL Database security is here

Quick Checklist:

  • Use Prepared Statements to prevent SQL Injection
  • Encode data fetched from database before displaying to prevent Cross-site Scripting
  • Do not store sensitive information in the client-side database
  • Ensure explicit per system user permission before storing data
  • Use unique database names to minimize data loss in client-side attacks
  • Create the database over SSL to prevent DNS spoofing/browser phishing attacks
  • Do not trust client-side data

Demos:

Cross Origin Requests

A detailed article on Cross Origin Request security is here

Quick Checklist:

  • Do not have a universal allow setting
  • Do not have too many pages/features exposed to COR
  • Do not use Origin header in Access Control decisions
  • Returns user specific information only to COR with valid credentials
  • Do not cache preflight responses for too long
  • Validate COR request and response even from trusted sites
  • Do not process rogue COR

Demos: