Web Platform Security @ CMS Security Summit

Transcript

1. Proprietary + Confidential Proprietary + Confidential Web Platform Security @

   CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, mkwst@google.com, @mikewest

2. Proprietary + Confidential Proprietary + Confidential HTTPS

3. Proprietary + Confidential https://transparencyreport.google.com/https/overview

4. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

5. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

6. Proprietary + Confidential Proprietary + Confidential What's next? We aim

   to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

7. Proprietary + Confidential Proprietary + Confidential What's next? We're exploring

   locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

8. Proprietary + Confidential Proprietary + Confidential XSS / XSSI /

   CSRF

9. Proprietary + Confidential Proprietary + Confidential CSP is great. You

   should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

10. Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

11. Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

12. Proprietary + Confidential Proprietary + Confidential Spectre

13. Proprietary + Confidential Proprietary + Confidential

14. Proprietary + Confidential Proprietary + Confidential Site Isolation

15. Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy

    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

16. Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy

    https://github.com/whatwg/html/issues/3740

17. Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

18. Proprietary + Confidential Proprietary + Confidential Why "site"? Why not

    "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

19. Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

20. Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

21. Proprietary + Confidential Proprietary + Confidential Thanks! Mike West mkwst@google.com

    @mikewest