Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
BSides Munich
Mike West
PRO
April 03, 2017
Programming
0
260
BSides Munich
Mike West
PRO
April 03, 2017
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
13
Isolation by Default
mikewest
PRO
0
1.3k
The Web We Can Ship
mikewest
PRO
0
260
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
1.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
110
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
370
Web Platform Security @ CMS Security Summit
mikewest
PRO
0
76
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
680
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.3k
Other Decks in Programming
See All in Programming
ポケモンで学ぶiOS 16弾丸ツアー 🚅
giginet
PRO
1
620
42tokyo-born2beroot-review
love42
0
110
Zynq MP SoC で楽しむエッジコンピューティング ~RTLプログラミングのススメ~
ryuz88
0
380
Amazon QuickSightのアップデート -re:Invent 2022の復習&2022年ハイライト-
shogo452
0
230
子育てとEMと転職と
_atsushisakai
1
410
PHPアプリケーションにおけるアーキテクチャメトリクスについて / Architecture Metrics in PHP Applications
isanasan
1
270
Rによる大規模データの処理
s_uryu
2
640
TSX First な Zero-Runtime SSG potato4d/dodai とその仕組み / owned static site generator #kyotojs
potato4d
0
350
新卒でサービス立ち上げから Hasuraを使って3年経った振り返り
yutorin
0
230
PHPDocにおける配列の型定義を少し知る
shimabox
1
140
ペパカレで入社した私が感じた2つのギャップと向き合い方
kosuke_ito
0
290
[2023년 1월 세미나] 데이터 분석가 되면 어떤 일을 하나요?
datarian
0
610
Featured
See All Featured
Building Flexible Design Systems
yeseniaperezcruz
314
35k
The Mythical Team-Month
searls
210
40k
The Art of Programming - Codeland 2020
erikaheidi
36
11k
WebSockets: Embracing the real-time Web
robhawkes
58
6k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Making Projects Easy
brettharned
102
4.8k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Designing Experiences People Love
moore
130
22k
BBQ
matthewcrist
75
8.1k
Producing Creativity
orderedlist
PRO
335
38k
Transcript
Mike West, @mikewest,
[email protected]
https://goo.gl/F0o9kR Hardening the Web Platform
Slides: https://goo.gl/F0o9kR
None
None
None
https://goo.gl/MycPb7
"Sharpening", https://flic.kr/p/sbo18H
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
None
https://securethe.news/
https://letsencrypt.org/
https://caddyserver.com/
https://goo.gl/ptS8FO https://goo.gl/nzbqQo
Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us
Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m
https://goo.gl/51hqZa
https://goo.gl/Kd2eMQ
https://goo.gl/ciyreA
https://goo.gl/rStTGz
AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification
https://goo.gl/Wwpnjw https://goo.gl/fzVgNt
127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
https://goo.gl/Wamh7S
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com
status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
https://goo.gl/lJq6jj https://goo.gl/dqPkYn
script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
https://goo.gl/wSH6sV
https://srihash.org/
https://goo.gl/yxEJiO https://goo.gl/IrPX7b
Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax
https://goo.gl/QcZIBI
✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:
__Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
https://goo.gl/gF2clJ
https://goo.gl/FHAeAm
Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":
true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",
{ "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
None
https://goo.gl/Un07eJ
https://goo.gl/ILUP12
https://goo.gl/eZ9SKg
scheme://host:port
scheme://host:port scheme://sub1_host:port scheme://sub2_host:port
https://goo.gl/VhLsq2
None
Thank you! https://goo.gl/F0o9kR @mikewest
[email protected]