Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Web Platform Security @ CMS Security Summit
Mike West
PRO
January 30, 2019
Programming
0
64
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
PRO
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
mikewest
PRO
0
850
mikewest
PRO
0
140
mikewest
PRO
0
1.3k
mikewest
PRO
1
96
mikewest
PRO
0
330
mikewest
PRO
2
580
mikewest
PRO
0
240
mikewest
PRO
5
1.3k
mikewest
PRO
2
970
Other Decks in Programming
See All in Programming
mraible
PRO
2
340
kkagurazaka
1
150
n8ebel
1
200
tkmnzm
0
160
massa142
0
310
gorou_178
0
120
teshi04
5
2.1k
uri
2
200
jogannaoki
0
1.3k
solt9029
10
2.5k
afilina
PRO
3
450
kamilahsantos
1
100
Featured
See All Featured
mclloyd
PRO
6
7.5k
aarron
261
36k
tanoku
91
8.9k
brad_frost
162
6.8k
matthewcrist
73
7.7k
addyosmani
496
110k
denniskardys
223
120k
productmarketing
11
1.1k
samlambert
238
10k
lauravandoore
18
2.1k
jonyablonski
38
1.8k
geeforr
336
30k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, mkwst@google.com, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West mkwst@google.com
@mikewest
mikewest
mraible
kkagurazaka
n8ebel
tkmnzm
massa142
gorou_178
teshi04
uri
jogannaoki
solt9029
afilina
kamilahsantos
mclloyd
aarron
tanoku
brad_frost
matthewcrist
addyosmani
denniskardys
productmarketing
samlambert
lauravandoore
jonyablonski
geeforr
