Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening the Web Platform - AppSec EU, 2016

Hardening the Web Platform - AppSec EU, 2016

Like every large software project, browsers are accidentally broken. But put these unintentional bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren’t safe, because from a security perspective the internet is in many ways broken by design.

Let’s talk about how we’re beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down even further.

Mike West

July 01, 2016

More Decks by Mike West

Other Decks in Technology


  1. "Making CSP Great Again", https://goo.gl/74D8i5 default-src 'none'; base-uri 'self'; block-all-mixed-content;

    child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status. github.com api.github.com www.google-analytics.com github-cloud.s3. amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form- action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *. gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script- src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com
  2. ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie:

    __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345
  3. Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated":

    true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });
  4. Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin",

    { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }