jQuery has made it possible for developers to move more and more complex application logic down from the server to the client. This is a huge opportunity for JavaScript developers, and at the same time presents a tempting target for folks with malicious intent. It's more critical than ever to ensure that we're doing the right things with regard to security, and happily, modern browsers are here to help. Here, we'll talk about some of the new ways in which you can mitigate the effects of cross-site scripting and other attacks.
22. Limit the browser’s capabilities
“Every program and every privileged user
of the system should operate using the
least amount of privilege necessary to
complete the job.”
Jerome H. Saltzer, "Protection and the control of information sharing in multics"
34. <iframe src="page.html" sandbox></iframe>
<!--
* Unique origin
* No plugins.
* No script.
* No form submissions.
* No top-level navigation.
* No popups.
* No autoplay.
* No pointer lock.
* No seamless iframes.
-->
35. <iframe src="page.html"
sandbox="allow-forms allow-pointer-lock allow-popups
allow-same-origin allow-scripts
allow-top-navigation"></iframe>
<!--
* No plugins.
* No seamless iframes.
-->
36. <!-- User-generated content? (in The Near Future™) -->
<iframe
seamless
srcdoc="<p>This is a comment!</p>"
sandbox></iframe>