Enisa highlights 50 security threats in web standards including HTML5

European security agency Enisa has warned that many modern web standards may need rewriting, after releasing a security review which found 50 threats in standards such as HTML5.

The report, A Security Analysis of Next Generation Web Standards, was undertaken by the agency at a time when many of the standards are still being finalised, explained co-editor Giles Hogben.

"Many of these specifications are reaching a point of no return. For once, we have the opportunity to think deeply about security before the standard is set in stone, rather than trying to patch it up afterwards," he said.

"This is a unique opportunity to build in security-by-design."

The report analyses 13 World Wide Web Consortium (W3C) standards including HTML5, those for cross-origin communication interfaces such as CORS and XHR, device APIs including geo-location, and widgets.

Worryingly, the paper identifies several problems with HTML5, which is being promoted by big name vendors and will be the standard for web page creation for many years to come.

These include the ability to disable click-jacking protection, and to more easily lure an end user into submitting an online form to "an attacker-controlled destination".

Other common security problems include unprotected access to sensitive information, and under-specified features which Enisa warned could lead to implementation errors.

Enisa's recommendations to improve security in the standards include enhancing access control policies, tightening permissions systems and applying "permission awareness indicators" for users.

The W3C welcomed the review, and encouraged Enisa to report any issues outlined to the relevant W3C Working Groups.