Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ CMS Security Summit

Avatar for Mike West Mike West
January 30, 2019
Programming
0
130

Web Platform Security @ CMS Security Summit

A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.

Avatar for Mike West

Mike West

January 30, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
120
Isolation by Default
Avatar for Mike West mikewest
0
1.9k
The Web We Can Ship
Avatar for Mike West mikewest
0
510
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.3k
Web Platform Security @ TechDays 2019
Avatar for Mike West mikewest
1
180
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
460
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
1k
BSides Munich
Avatar for Mike West mikewest
0
340
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
SQLアンチパターン第2版 データベースプログラミングで陥りがちな失敗とその対策 / Intro to SQL Antipatterns 2nd
Avatar for Takuto Wada twada
PRO
35
10k
MySQL9でベクトルカラム登場!PHP×AWSでのAI/類似検索はこう変わる
Avatar for Suguru Ohki suguruooki
1
260
知って得する@cloudflare_vite-pluginのあれこれ
Avatar for chimame chimame
1
130
0から始めるモジュラーモノリス-クリーンなモノリスを目指して
Avatar for sushi-cat sushi0120
0
210
Quality Gates in the Age of Agentic Coding
Avatar for Hélio Medeiros helmedeiros
PRO
1
110
オホーツクでコミュニティを立ち上げた理由―地方出身プログラマの挑戦 / TechRAMEN 2025 Conference
Avatar for はる lemonade_37
1
390
AI Agent 時代のソフトウェア開発を支える AWS Cloud Development Kit (CDK)
Avatar for Kenji Kono konokenj
6
1k
[SRE NEXT] 複雑なシステムにおけるUser Journey SLOの導入
Avatar for yakenji yakenji
1
860
ZeroETLで始めるDynamoDBとS3の連携
Avatar for afooooil afooooil
0
140
はじめてのWeb API体験 ー 飲食店検索アプリを作ろうー
Avatar for Aki Nakahara akinko_0915
0
180
状態遷移図を書こう / Sequence Chart vs State Diagram
Avatar for Kuniwak orgachem
PRO
3
310
JetBrainsのAI機能の紹介 #jjug
Avatar for yusuke yusuke
0
160

Featured

See All Featured
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
37
2.8k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
PRO
21
1.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
72
4.9k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
332
24k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
31
8.7k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
42
7.4k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
656
60k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
44
7.6k

Transcript

  1. Proprietary + Confidential Proprietary + Confidential Web Platform Security @

    CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, [email protected], @mikewest

  2. Proprietary + Confidential Proprietary + Confidential HTTPS

  3. Proprietary + Confidential https://transparencyreport.google.com/https/overview

  4. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

  5. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

  6. Proprietary + Confidential Proprietary + Confidential What's next? We aim

    to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

  7. Proprietary + Confidential Proprietary + Confidential What's next? We're exploring

    locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

  8. Proprietary + Confidential Proprietary + Confidential XSS / XSSI /

    CSRF

  9. Proprietary + Confidential Proprietary + Confidential CSP is great. You

    should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

  10. Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

  11. Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

  12. Proprietary + Confidential Proprietary + Confidential Spectre

  13. Proprietary + Confidential Proprietary + Confidential

  14. Proprietary + Confidential Proprietary + Confidential Site Isolation

  15. Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy

    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

  16. Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy

    https://github.com/whatwg/html/issues/3740

  17. Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

  18. Proprietary + Confidential Proprietary + Confidential Why "site"? Why not

    "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

  19. Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

  20. Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

  21. Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]

    @mikewest