Client-side storage (sessionStorage and globalStorage) as well as offline application support (including client-side databases, offline content serving/manifests, eventing, etc) have all been codified into HTML5. Not a super big surprise because they've been in WHATWG spec for a while but certainly plan for them to take on a larger role in web apps then when they were simply implemented in Mozilla (DOMStorage) or as a browser plug-in (Google Gears)

Attacks and defense against these features is discussed in chapters 8 and 9 of our book.

Remember folks, its only an increased attack surface ;-)