Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
January 30, 2019
Programming
0
130
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
120
Isolation by Default
mikewest
0
1.9k
The Web We Can Ship
mikewest
0
510
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.3k
Web Platform Security @ TechDays 2019
mikewest
1
180
Cookies are bad @ HTTP Workshop 2019
mikewest
0
460
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1k
BSides Munich
mikewest
0
340
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.5k
Other Decks in Programming
See All in Programming
MCP連携で加速するAI駆動開発/mcp integration accelerates ai-driven-development
bpstudy
0
250
SwiftでMCPサーバーを作ろう!
giginet
PRO
2
220
Terraform やるなら公式スタイルガイドを読もう 〜重要項目 10選〜
hiyanger
11
2.8k
画像コンペでのベースラインモデルの育て方
tattaka
3
960
QA x AIエコシステム段階構築作戦
osu
0
240
iOS開発スターターキットの作り方
akidon0000
0
230
AIに安心して任せるためにTypeScriptで一意な型を作ろう
arfes0e2b3c
0
330
Claude Code で Astro blog を Pages から Workers へ移行してみた
codehex
0
170
PHPカンファレンス関西2025 基調講演
sugimotokei
6
1.1k
中級グラフィックス入門~効率的なメッシュレット描画~
projectasura
4
2.4k
Strands Agents で実現する名刺解析アーキテクチャ
omiya0555
1
110
Vibe coding コードレビュー
kinopeee
0
400
Featured
See All Featured
Navigating Team Friction
lara
188
15k
Done Done
chrislema
185
16k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
Mobile First: as difficult as doing things right
swwweet
223
9.9k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
Code Review Best Practice
trishagee
69
19k
Building Applications with DynamoDB
mza
95
6.5k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1k
Designing for Performance
lara
610
69k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
How to Think Like a Performance Engineer
csswizardry
25
1.8k
Making Projects Easy
brettharned
117
6.3k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest