Web Platform Security @ CMS Security Summit

Transcript

1. Proprietary + Confidential
   Proprietary + Confidential
   Web Platform Security
   @ CMS Security Summit - 2019-01-30
   Proprietary + Confidential
   Mike West, [email protected], @mikewest
   

   View Slide

2. Proprietary + Confidential
   Proprietary + Confidential
   HTTPS
   

   View Slide

3. Proprietary + Confidential
   https://transparencyreport.google.com/https/overview
   

   View Slide

4. Proprietary + Confidential
   Proprietary + Confidential
   Address Bar UX: Today
   

   View Slide

5. Proprietary + Confidential
   Proprietary + Confidential
   Address Bar UX: Eventually
   

   View Slide

6. Proprietary + Confidential
   Proprietary + Confidential
   What's next?
   We aim to expire non-secure cookies
   early rather than sending them over
   non-secure connections.
   https://github.com/mikewest/cookies-over-http-bad
   

   View Slide

7. Proprietary + Confidential
   Proprietary + Confidential
   What's next?
   We're exploring locking some high-entropy
   headers to secure connections (for example,
   `User-Agent` and `Accept-Lang`).
   https://tools.ietf.org/html/draft-west-ua-client-hints
   https://tools.ietf.org/html/draft-west-lang-client-hint
   

   View Slide

8. Proprietary + Confidential
   Proprietary + Confidential
   XSS / XSSI / CSRF
   

   View Slide

9. Proprietary + Confidential
   Proprietary + Confidential
   CSP is great. You should use it!
   https://csp.withgoogle.com
   Trusted Types looks promising.
   Please give us feedback!
   https://github.com/WICG/trusted-types/
   

   View Slide

10. Proprietary + Confidential
    Proprietary + Confidential
    SameSite
    Cookies
    https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
    

    View Slide

11. Proprietary + Confidential
    Proprietary + Confidential
    Fetch Metadata
    https://mikewest.github.io/sec-metadata/
    

    View Slide

12. Proprietary + Confidential
    Proprietary + Confidential
    Spectre
    

    View Slide

13. Proprietary + Confidential
    Proprietary + Confidential
    

    View Slide

14. Proprietary + Confidential
    Proprietary + Confidential
    Site Isolation
    

    View Slide

15. Proprietary + Confidential
    Proprietary + Confidential
    Cross Origin
    Resource Policy
    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
    

    View Slide

16. Proprietary + Confidential
    Proprietary + Confidential
    Cross Origin
    Opener Policy
    https://github.com/whatwg/html/issues/3740
    

    View Slide

17. Proprietary + Confidential
    Proprietary + Confidential
    CORS-Only
    Mode
    https://github.com/whatwg/html/issues/4175
    

    View Slide

18. Proprietary + Confidential
    Proprietary + Confidential
    Why "site"? Why
    not "origin"?
    https://www.chromestatus.com/metrics/feature/timeline/popularity/739
    

    View Slide

19. Proprietary + Confidential
    Proprietary + Confidential
    Feature Policy
    https://w3c.github.io/webappsec-feature-policy/
    

    View Slide

20. Proprietary + Confidential
    Proprietary + Confidential
    Origin Policy
    https://wicg.github.io/origin-policy/
    

    View Slide

21. Proprietary + Confidential
    Proprietary + Confidential
    Thanks!
    Mike West
    [email protected]
    @mikewest
    

    View Slide