Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
BSides Munich
Mike West
April 03, 2017
Programming
0
230
BSides Munich
Mike West
April 03, 2017
Tweet
Share
More Decks by Mike West
See All by Mike West
mikewest
0
81
mikewest
0
87
mikewest
0
1.1k
mikewest
1
42
mikewest
0
300
mikewest
0
51
mikewest
2
530
mikewest
5
1.3k
mikewest
2
940
Other Decks in Programming
See All in Programming
bkuhlmann
2
310
pluu
0
700
takapy
0
200
hyodol2513
0
630
satoshun
0
110
ianaya89
2
240
akito0107
0
220
maito1201
0
190
borkdude
2
220
martysuzuki
1
580
ryosukes
0
1.5k
pirosikick
4
960
Featured
See All Featured
paulrobertlloyd
72
1.4k
destraynor
222
47k
dougneiner
55
5.4k
smashingmag
283
47k
mojombo
359
62k
michaelherold
225
8.5k
addyosmani
1346
190k
62gerente
587
200k
roundedbygravity
84
7.9k
sugarenia
233
860k
samlambert
237
10k
aarron
257
36k
Transcript
Mike West, @mikewest, mkwst@google.com https://goo.gl/F0o9kR Hardening the Web Platform
Slides: https://goo.gl/F0o9kR
None
None
None
https://goo.gl/MycPb7
"Sharpening", https://flic.kr/p/sbo18H
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
None
https://securethe.news/
https://letsencrypt.org/
https://caddyserver.com/
https://goo.gl/ptS8FO https://goo.gl/nzbqQo
Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us
Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m
https://goo.gl/51hqZa
https://goo.gl/Kd2eMQ
https://goo.gl/ciyreA
https://goo.gl/rStTGz
AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification
https://goo.gl/Wwpnjw https://goo.gl/fzVgNt
127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
https://goo.gl/Wamh7S
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com
status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
https://goo.gl/lJq6jj https://goo.gl/dqPkYn
script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
https://goo.gl/wSH6sV
https://srihash.org/
https://goo.gl/yxEJiO https://goo.gl/IrPX7b
Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax
https://goo.gl/QcZIBI
✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:
__Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
https://goo.gl/gF2clJ
https://goo.gl/FHAeAm
Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":
true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",
{ "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
None
https://goo.gl/Un07eJ
https://goo.gl/ILUP12
https://goo.gl/eZ9SKg
scheme://host:port
scheme://host:port scheme://sub1_host:port scheme://sub2_host:port
https://goo.gl/VhLsq2
None
Thank you! https://goo.gl/F0o9kR @mikewest mkwst@google.com