European security agency Enisa has warned that many modern web standards may need rewriting, after releasing a security review which found 50 threats in standards such as HTML5.
The report, A Security Analysis of Next Generation Web Standards, was undertaken by the agency at a time when many of the standards are still being finalised, explained co-editor Giles Hogben.
"Many of these specifications are reaching a point of no return. For once, we have the opportunity to think deeply about security before the standard is set in stone, rather than trying to patch it up afterwards," he said.
"This is a unique opportunity to build in security-by-design."
The report analyses 13 World Wide Web Consortium (W3C) standards including HTML5, those for cross-origin communication interfaces such as CORS and XHR, device APIs including geo-location, and widgets.
Worryingly, the paper identifies several problems with HTML5, which is being promoted by big name vendors and will be the standard for web page creation for many years to come.
These include the ability to disable click-jacking protection, and to more easily lure an end user into submitting an online form to "an attacker-controlled destination".
Other common security problems include unprotected access to sensitive information, and under-specified features which Enisa warned could lead to implementation errors.
Enisa's recommendations to improve security in the standards include enhancing access control policies, tightening permissions systems and applying "permission awareness indicators" for users.
The W3C welcomed the review, and encouraged Enisa to report any issues outlined to the relevant W3C Working Groups.
Some parts of Atacama have not received rainfall for 500 years - but a sudden deluge of water upset the Desert's delicate biological balance
Spitzer Space Telescope could not spot Oumuamua, suggesting that it is actually pretty small
Greenland crater one of the 25 largest impact craters on Earth
This long-sought progenitor star was identified in an image captured by Hubble in 2007