Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
BSides Munich
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Mike West
April 03, 2017
Programming
400
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
BSides Munich
Mike West
April 03, 2017
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
140
Isolation by Default
mikewest
0
2.1k
The Web We Can Ship
mikewest
0
560
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.8k
Web Platform Security @ TechDays 2019
mikewest
1
220
Cookies are bad @ HTTP Workshop 2019
mikewest
0
520
Web Platform Security @ CMS Security Summit
mikewest
0
160
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1.1k
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.5k
Other Decks in Programming
See All in Programming
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.4k
The NotImplementedError Problem in Ruby
koic
1
950
ランチタイムLT会3周年!ランチタイムLT会を3年間続けられたお話
y0hgi
1
110
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
190
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
120
ADKを使って簡単にAIエージェントを作ってみよう
k1mu21
0
280
Inside Stream API
skrb
1
790
dRuby over BLE
makicamel
2
390
ふつうのFeature Flag実践入門
irof
8
4.2k
act1-costs.pdf
sumedhbala
0
120
「なぜそう決めたのか」を残し続ける仕組み ― Notion AI カスタムエージェント × Slack連携による設計判断の自動記録 - NIKKEI Tech Talk #47
niftycorp
PRO
0
230
技術的負債解消で開発者の未来を開く- AIの力でコード刷新
kmd2kmd
0
120
Featured
See All Featured
Odyssey Design
rkendrick25
PRO
2
710
Optimizing for Happiness
mojombo
378
71k
Visualization
eitanlees
152
17k
Raft: Consensus for Rubyists
vanstee
141
7.6k
How to Ace a Technical Interview
jacobian
281
24k
What's in a price? How to price your products and services
michaelherold
247
13k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
25k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
10
1.2k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.5k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
200
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
First, design no harm
axbom
PRO
2
1.2k
Transcript
Mike West, @mikewest,
[email protected]
https://goo.gl/F0o9kR Hardening the Web Platform
Slides: https://goo.gl/F0o9kR
None
None
None
https://goo.gl/MycPb7
"Sharpening", https://flic.kr/p/sbo18H
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
None
https://securethe.news/
https://letsencrypt.org/
https://caddyserver.com/
https://goo.gl/ptS8FO https://goo.gl/nzbqQo
Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us
Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m
https://goo.gl/51hqZa
https://goo.gl/Kd2eMQ
https://goo.gl/ciyreA
https://goo.gl/rStTGz
AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz Notification
https://goo.gl/Wwpnjw https://goo.gl/fzVgNt
127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw
"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8
https://goo.gl/Wamh7S
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com
status.github.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *.gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
https://goo.gl/lJq6jj https://goo.gl/dqPkYn
script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com https://t.tellapart.com 'nonce-LrNe0GlzopB0DPFNqwdllg==' https://platform.twitter.com https://www.google-analytics.com 'self'; frame-ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph.facebook.com https://*.giphy.com https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://pay.twitter.com https://analytics.twitter.com https://*.twprobe.net https://media.riffsy.com https://embed.periscope.tv https://upload.twitter.com 'self'; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-static.ak.facebook.com https://4337974.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://graph.facebook.com https://*.giphy.com https://twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https://media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://api.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
https://goo.gl/wSH6sV
https://srihash.org/
https://goo.gl/yxEJiO https://goo.gl/IrPX7b
Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax
https://goo.gl/QcZIBI
✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:
__Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
https://goo.gl/gF2clJ
https://goo.gl/FHAeAm
Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":
true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",
{ "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }
None
https://goo.gl/Un07eJ
https://goo.gl/ILUP12
https://goo.gl/eZ9SKg
scheme://host:port
scheme://host:port scheme://sub1_host:port scheme://sub2_host:port
https://goo.gl/VhLsq2
None
Thank you! https://goo.gl/F0o9kR @mikewest
[email protected]