Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
PRO
January 30, 2019
Programming
0
110
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
PRO
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
110
Isolation by Default
mikewest
PRO
0
1.8k
The Web We Can Ship
mikewest
PRO
0
480
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
3k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
170
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
430
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
930
BSides Munich
mikewest
PRO
0
330
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.4k
Other Decks in Programming
See All in Programming
Honoとフロントエンドの 型安全性について
yodaka
7
1.4k
ARA Ansible for the teams
kksat
0
170
CDK開発におけるコーディング規約の運用
yamanashi_ren01
2
200
GoとPHPのインターフェイスの違い
shimabox
2
200
2025.2.14_Developers Summit 2025_登壇資料
0101unite
0
130
PHPのバージョンアップ時にも役立ったAST
matsuo_atsushi
0
210
Djangoにおける複数ユーザー種別認証の設計アプローチ@DjangoCongress JP 2025
delhi09
PRO
4
410
How mixi2 Uses TiDB for SNS Scalability and Performance
kanmo
40
16k
『GO』アプリ バックエンドサーバのコスト削減
mot_techtalk
0
150
GitHub Actions × RAGでコードレビューの検証の結果
sho_000
0
280
PHPカンファレンス名古屋2025 タスク分解の試行錯誤〜レビュー負荷を下げるために〜
soichi
1
630
コミュニティ駆動 AWS CDK ライブラリ「Open Constructs Library」 / community-cdk-library
gotok365
2
180
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1030
460k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.4k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
640
Git: the NoSQL Database
bkeepers
PRO
427
65k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
133
33k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.4k
Building Flexible Design Systems
yeseniaperezcruz
328
38k
Bash Introduction
62gerente
611
210k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, mkwst@google.com, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West mkwst@google.com
@mikewest