Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ CMS Security Summit

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Mike West Mike West
January 30, 2019
Programming
0
140

Web Platform Security @ CMS Security Summit

A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.

Avatar for Mike West

Mike West

January 30, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
130
Isolation by Default
Avatar for Mike West mikewest
0
2k
The Web We Can Ship
Avatar for Mike West mikewest
0
530
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.6k
Web Platform Security @ TechDays 2019
Avatar for Mike West mikewest
1
200
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
500
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
1.1k
BSides Munich
Avatar for Mike West mikewest
0
370
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
それ、本当に安全? ファイルアップロードで見落としがちなセキュリティリスクと対策
Avatar for ikechi penpeen
7
3.9k
今から始めるClaude Code超入門
Avatar for 448jp | OKI Yoshiya 448jp
8
8.7k
なぜSQLはAIぽく見えるのか/why does SQL look AI like
Avatar for florets1 florets1
0
460
AI時代の認知負荷との向き合い方
Avatar for OptFit Corp. optfit
0
160
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
660
0→1 フロントエンド開発 Tips🚀 #レバテックMeetup
Avatar for 弁護士ドットコム bengo4com
0
560
副作用をどこに置くか問題:オブジェクト指向で整理する設計判断ツリー
Avatar for Koya Masuda koxya
1
610
Smart Handoff/Pickup ガイド - Claude Code セッション管理
Avatar for rasshii yukiigarashi
0
130
AIフル活用時代だからこそ学んでおきたい働き方の心得
Avatar for shinoyu shinoyu
0
130
カスタマーサクセス業務を変革したヘルススコアの実現と学び
Avatar for Tomoyuki Hamaguchi _hummer0724
0
700
登壇資料を作る時に意識していること #登壇資料_findy
Avatar for konifar konifar
4
1.1k
AIと一緒にレガシーに向き合ってみた
Avatar for nyafunta9858 nyafunta9858
0
230

Featured

See All Featured
Designing for Timeless Needs
Avatar for Cassini Nazir cassininazir
0
130
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
791
250k
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
1
99
Prompt Engineering for Job Search
Avatar for Mfonobong Umondia mfonobong
0
160
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
32
2.8k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
0
350
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
Chasing Engaging Ingredients in Design
Avatar for Sebastian Deterding codingconduct
0
110
The Mindset for Success: Future Career Progression
Avatar for Greg Gifford greggifford
PRO
0
240
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
32k

Transcript

  1. Proprietary + Confidential Proprietary + Confidential Web Platform Security @

    CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, [email protected], @mikewest

  2. Proprietary + Confidential Proprietary + Confidential HTTPS

  3. Proprietary + Confidential https://transparencyreport.google.com/https/overview

  4. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

  5. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

  6. Proprietary + Confidential Proprietary + Confidential What's next? We aim

    to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

  7. Proprietary + Confidential Proprietary + Confidential What's next? We're exploring

    locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

  8. Proprietary + Confidential Proprietary + Confidential XSS / XSSI /

    CSRF

  9. Proprietary + Confidential Proprietary + Confidential CSP is great. You

    should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

  10. Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

  11. Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

  12. Proprietary + Confidential Proprietary + Confidential Spectre

  13. Proprietary + Confidential Proprietary + Confidential

  14. Proprietary + Confidential Proprietary + Confidential Site Isolation

  15. Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy

    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

  16. Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy

    https://github.com/whatwg/html/issues/3740

  17. Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

  18. Proprietary + Confidential Proprietary + Confidential Why "site"? Why not

    "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

  19. Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

  20. Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

  21. Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]

    @mikewest