Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Web Platform Security @ CMS Security Summit
Mike West
PRO
January 30, 2019
Programming
0
76
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
PRO
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
13
Isolation by Default
mikewest
PRO
0
1.3k
The Web We Can Ship
mikewest
PRO
0
260
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
1.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
110
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
370
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
680
BSides Munich
mikewest
PRO
0
260
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.3k
Other Decks in Programming
See All in Programming
domain層のモジュール化 / MoT TechTalk #15
mot_techtalk
0
110
Swift Concurrency in GoodNotes
inamiy
4
1.3k
Spring BootとKubernetesで実現する今どきのDevOps入門
xblood
0
340
Azure Functionsをサクッと開発、サクッとデプロイ/vscodeconf2023-baba
nina01
1
330
Step Functions Distributed Map を使ってみた
codemountains
0
100
ECS Service Connectでマイクロサービスを繋いでみた
xblood
0
530
Milestoner
bkuhlmann
1
240
Gradle build: The time is now
nonews
1
430
Above All, Make It Fun! #fjordbootcamp / make it fun
kakutani
6
550
僕が考えた超最強のKMMアプリの作り方
spbaya0141
0
180
OSSから学んだPR Descriptionの書き方
fugakkbn
4
130
子育てとEMと転職と
_atsushisakai
1
330
Featured
See All Featured
What's new in Ruby 2.0
geeforr
336
30k
Documentation Writing (for coders)
carmenintech
51
2.9k
Bootstrapping a Software Product
garrettdimon
299
110k
The World Runs on Bad Software
bkeepers
PRO
59
5.7k
Side Projects
sachag
451
37k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
The Invisible Side of Design
smashingmag
292
48k
The Pragmatic Product Professional
lauravandoore
21
3.4k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
182
15k
Clear Off the Table
cherdarchuk
79
290k
Building Adaptive Systems
keathley
27
1.3k
Designing Experiences People Love
moore
130
22k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest