Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
January 30, 2019
Programming
0
130
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
120
Isolation by Default
mikewest
0
1.9k
The Web We Can Ship
mikewest
0
510
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.4k
Web Platform Security @ TechDays 2019
mikewest
1
180
Cookies are bad @ HTTP Workshop 2019
mikewest
0
470
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1k
BSides Munich
mikewest
0
350
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.5k
Other Decks in Programming
See All in Programming
スマホから Youtube Shortsを見られないようにする
lemolatoon
27
32k
明日から始めるリファクタリング
ryounasso
0
140
PHPに関数型の魂を宿す〜PHP 8.5 で実現する堅牢なコードとは〜 #phpcon_hiroshima / phpcon-hiroshima-2025
shogogg
1
220
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
330
詳しくない分野でのVibe Codingで困ったことと学び/vibe-coding-in-unfamiliar-area
shibayu36
3
5k
All About Angular's New Signal Forms
manfredsteyer
PRO
0
160
Android16 Migration Stories ~Building a Pattern for Android OS upgrades~
reoandroider
0
110
(Extension DC 2025) Actor境界を越える技術
teamhimeh
1
250
Foundation Modelsを実装日本語学習アプリを作ってみた!
hypebeans
0
110
Le côté obscur des IA génératives
pascallemerrer
0
140
Devoxx BE - Local Development in the AI Era
kdubois
0
130
Go Conference 2025: Goで体感するMultipath TCP ― Go 1.24 時代の MPTCP Listener を理解する
takehaya
9
1.7k
Featured
See All Featured
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Navigating Team Friction
lara
190
15k
Documentation Writing (for coders)
carmenintech
75
5.1k
It's Worth the Effort
3n
187
28k
How STYLIGHT went responsive
nonsquared
100
5.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
48
9.7k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
Code Reviewing Like a Champion
maltzj
526
40k
Keith and Marios Guide to Fast Websites
keithpitt
411
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
14k
Music & Morning Musume
bryan
46
6.8k
Bash Introduction
62gerente
615
210k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest