Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Web Platform Security @ CMS Security Summit

Avatar for Mike West Mike West
January 30, 2019
Programming
0
140

Web Platform Security @ CMS Security Summit

A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.

Avatar for Mike West

Mike West

January 30, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
130
Isolation by Default
Avatar for Mike West mikewest
0
2k
The Web We Can Ship
Avatar for Mike West mikewest
0
520
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.5k
Web Platform Security @ TechDays 2019
Avatar for Mike West mikewest
1
190
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
480
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
1k
BSides Munich
Avatar for Mike West mikewest
0
360
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
Promise.tryで実現する新しいエラーハンドリング New error handling with Promise try
Avatar for おおいし bicstone
3
1.7k
開発15年のAIネイティブでない 巨大サービスのAI最適化
Avatar for わたり rapicro
0
110
FlutterKaigi 2025 システム裏側
Avatar for Ryotaro Onoue yumnumm
0
1.2k
データファイルをAWSのDWHサービスに格納する / 20251115jawsug-tochigi
Avatar for kasacchiful kasacchiful
2
100
TVerのWeb内製化 - 開発スピードと品質を両立させるまでの道のり
Avatar for TVer Inc. techtver
PRO
3
1.2k
これだけで丸わかり!LangChain v1.0 アップデートまとめ
Avatar for os1ma os1ma
4
320
大体よく分かるscala.collection.immutable.HashMap ~ Compressed Hash-Array Mapped Prefix-tree (CHAMP) ~
Avatar for matsu_chara matsu_chara
1
170
「文字列→日付」の落とし穴 〜Ruby Date.parseの意外な挙動〜
Avatar for sg4k0 sg4k0
0
320
Flutterチームから作る組織の越境文化
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
0
640
TypeScriptで設計する 堅牢さとUXを両立した非同期ワークフローの実現
Avatar for Matsumoto Moeka moeka__c
5
2.6k
仕様がそのままテストになる!Javaで始める振る舞い駆動開発
Avatar for uutan1108 ohmori_yusuke
8
4.7k
最新のDirectX12で使えるレイトレ周りの機能追加について
Avatar for Pocol projectasura
0
310

Featured

See All Featured
Fireside Chat
Avatar for paigeccino paigeccino
41
3.7k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k
The Art of Programming - Codeland 2020
Avatar for Erika Heidi erikaheidi
56
14k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.4k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.1k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.9k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.6k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
2.8k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
680
Navigating Team Friction
Avatar for Lara Hogan lara
190
16k

Transcript

  1. Proprietary + Confidential Proprietary + Confidential Web Platform Security @

    CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, [email protected], @mikewest

  2. Proprietary + Confidential Proprietary + Confidential HTTPS

  3. Proprietary + Confidential https://transparencyreport.google.com/https/overview

  4. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

  5. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

  6. Proprietary + Confidential Proprietary + Confidential What's next? We aim

    to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

  7. Proprietary + Confidential Proprietary + Confidential What's next? We're exploring

    locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

  8. Proprietary + Confidential Proprietary + Confidential XSS / XSSI /

    CSRF

  9. Proprietary + Confidential Proprietary + Confidential CSP is great. You

    should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

  10. Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

  11. Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

  12. Proprietary + Confidential Proprietary + Confidential Spectre

  13. Proprietary + Confidential Proprietary + Confidential

  14. Proprietary + Confidential Proprietary + Confidential Site Isolation

  15. Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy

    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

  16. Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy

    https://github.com/whatwg/html/issues/3740

  17. Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

  18. Proprietary + Confidential Proprietary + Confidential Why "site"? Why not

    "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

  19. Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

  20. Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

  21. Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]

    @mikewest