Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
PRO
January 30, 2019
Programming
0
110
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
PRO
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
100
Isolation by Default
mikewest
PRO
0
1.8k
The Web We Can Ship
mikewest
PRO
0
450
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
160
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
410
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
900
BSides Munich
mikewest
PRO
0
320
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.4k
Other Decks in Programming
See All in Programming
@nifty天気予報:フルリニューアルの挑戦 - NIFTY Tech Talk #22
niftycorp
PRO
0
120
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
400
かんたんデザイン編集やってみた~「完全に理解した」までの道のり~
morit4ryo
1
100
最新TCAキャッチアップ
0si43
0
250
イマのCSSでできる インタラクション最前線 + CSS最新情報
clockmaker
5
3.7k
EMになってからチームの成果を最大化するために取り組んだこと/ Maximize team performance as EM
nashiusagi
0
120
Jakarta EE meets AI
ivargrimstad
0
780
.NET 9アプリをCGIとして レンタルサーバーで動かす
mayuki
0
670
[KR] Open-Source Ecosystems
skydoves
0
110
Swift Testing - iPlayground
chiaoteni
0
130
Djangoの開発環境で工夫したこと - pre-commit / DevContainer
hiroki_yod
1
520
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
3
350
Featured
See All Featured
Writing Fast Ruby
sferik
627
61k
Ruby is Unlike a Banana
tanoku
97
11k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
A better future with KSS
kneath
238
17k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Become a Pro
speakerdeck
PRO
25
5k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest