$30 off During Our Annual Pro Sale. View Details »

Web Platform Security @ CMS Security Summit

Web Platform Security @ CMS Security Summit

A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.

Mike West
PRO

January 30, 2019
Tweet

More Decks by Mike West

Other Decks in Programming

Transcript

  1. Proprietary + Confidential
    Proprietary + Confidential
    Web Platform Security
    @ CMS Security Summit - 2019-01-30
    Proprietary + Confidential
    Mike West, [email protected], @mikewest

    View Slide

  2. Proprietary + Confidential
    Proprietary + Confidential
    HTTPS

    View Slide

  3. Proprietary + Confidential
    https://transparencyreport.google.com/https/overview

    View Slide

  4. Proprietary + Confidential
    Proprietary + Confidential
    Address Bar UX: Today

    View Slide

  5. Proprietary + Confidential
    Proprietary + Confidential
    Address Bar UX: Eventually

    View Slide

  6. Proprietary + Confidential
    Proprietary + Confidential
    What's next?
    We aim to expire non-secure cookies
    early rather than sending them over
    non-secure connections.
    https://github.com/mikewest/cookies-over-http-bad

    View Slide

  7. Proprietary + Confidential
    Proprietary + Confidential
    What's next?
    We're exploring locking some high-entropy
    headers to secure connections (for example,
    `User-Agent` and `Accept-Lang`).
    https://tools.ietf.org/html/draft-west-ua-client-hints
    https://tools.ietf.org/html/draft-west-lang-client-hint

    View Slide

  8. Proprietary + Confidential
    Proprietary + Confidential
    XSS / XSSI / CSRF

    View Slide

  9. Proprietary + Confidential
    Proprietary + Confidential
    CSP is great. You should use it!
    https://csp.withgoogle.com
    Trusted Types looks promising.
    Please give us feedback!
    https://github.com/WICG/trusted-types/

    View Slide

  10. Proprietary + Confidential
    Proprietary + Confidential
    SameSite
    Cookies
    https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

    View Slide

  11. Proprietary + Confidential
    Proprietary + Confidential
    Fetch Metadata
    https://mikewest.github.io/sec-metadata/

    View Slide

  12. Proprietary + Confidential
    Proprietary + Confidential
    Spectre

    View Slide

  13. Proprietary + Confidential
    Proprietary + Confidential

    View Slide

  14. Proprietary + Confidential
    Proprietary + Confidential
    Site Isolation

    View Slide

  15. Proprietary + Confidential
    Proprietary + Confidential
    Cross Origin
    Resource Policy
    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

    View Slide

  16. Proprietary + Confidential
    Proprietary + Confidential
    Cross Origin
    Opener Policy
    https://github.com/whatwg/html/issues/3740

    View Slide

  17. Proprietary + Confidential
    Proprietary + Confidential
    CORS-Only
    Mode
    https://github.com/whatwg/html/issues/4175

    View Slide

  18. Proprietary + Confidential
    Proprietary + Confidential
    Why "site"? Why
    not "origin"?
    https://www.chromestatus.com/metrics/feature/timeline/popularity/739

    View Slide

  19. Proprietary + Confidential
    Proprietary + Confidential
    Feature Policy
    https://w3c.github.io/webappsec-feature-policy/

    View Slide

  20. Proprietary + Confidential
    Proprietary + Confidential
    Origin Policy
    https://wicg.github.io/origin-policy/

    View Slide

  21. Proprietary + Confidential
    Proprietary + Confidential
    Thanks!
    Mike West
    [email protected]
    @mikewest

    View Slide