Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Web Platform Security @ CMS Security Summit

Avatar for Mike West Mike West
January 30, 2019
Programming
0
140

Web Platform Security @ CMS Security Summit

A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.

Avatar for Mike West

Mike West

January 30, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
0
130
Isolation by Default
Avatar for Mike West mikewest
0
2k
The Web We Can Ship
Avatar for Mike West mikewest
0
530
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
0
3.5k
Web Platform Security @ TechDays 2019
Avatar for Mike West mikewest
1
190
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
0
490
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
2
1.1k
BSides Munich
Avatar for Mike West mikewest
0
360
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
5
1.5k

Other Decks in Programming

See All in Programming
堅牢なフロントエンドテスト基盤を構築するために行った取り組み
Avatar for Shogo Fukami shogo4131
8
2.4k
AIコーディングエージェント(NotebookLM)
Avatar for kondai kondai24
0
210
JETLS.jl ─ A New Language Server for Julia
Avatar for abap34 abap34
1
420
Flutter On-device AI로 완성하는 오프라인 앱, 박제창 @DevFest INCHEON 2025
Avatar for JaiChangPark itsmedreamwalker
1
120
TUIライブラリつくってみた / i-just-make-TUI-library
Avatar for kazto kazto
1
390
DevFest Android in Korea 2025 - 개발자 커뮤니티를 통해 얻는 가치
Avatar for Suhyeon Kim wisemuji
0
150
これならできる!個人開発のすゝめ
Avatar for Tsubasa SEKIGUCHI tinykitten
PRO
0
110
Claude Codeの「Compacting Conversation」を体感50%減! CLAUDE.md + 8 Skills で挑むコンテキスト管理術
Avatar for Kazuki Murahama kmurahama
1
390
tsgolintはいかにしてtypescript-goの非公開APIを呼び出しているのか
Avatar for syumai syumai
7
2.2k
リリース時」テストから「デイリー実行」へ!開発マネージャが取り組んだ、レガシー自動テストのモダン化戦略
Avatar for goataka (GOAMI Takaaki) goataka
0
130
tparseでgo testの出力を見やすくする
Avatar for utagawa kiki utgwkk
2
240
手が足りない!兼業データエンジニアに必要だったアーキテクチャと立ち回り
Avatar for zinkosuke zinkosuke
0
750

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.3k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
33
1.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
73
11k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
12
980
Designing Experiences People Love
Avatar for Jonathan Moore moore
143
24k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.3k
Docker and Python
Avatar for Tania Allard trallard
47
3.7k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
174
15k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k

Transcript

  1. Proprietary + Confidential Proprietary + Confidential Web Platform Security @

    CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, [email protected], @mikewest

  2. Proprietary + Confidential Proprietary + Confidential HTTPS

  3. Proprietary + Confidential https://transparencyreport.google.com/https/overview

  4. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

  5. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

  6. Proprietary + Confidential Proprietary + Confidential What's next? We aim

    to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

  7. Proprietary + Confidential Proprietary + Confidential What's next? We're exploring

    locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

  8. Proprietary + Confidential Proprietary + Confidential XSS / XSSI /

    CSRF

  9. Proprietary + Confidential Proprietary + Confidential CSP is great. You

    should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

  10. Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

  11. Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

  12. Proprietary + Confidential Proprietary + Confidential Spectre

  13. Proprietary + Confidential Proprietary + Confidential

  14. Proprietary + Confidential Proprietary + Confidential Site Isolation

  15. Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy

    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

  16. Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy

    https://github.com/whatwg/html/issues/3740

  17. Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

  18. Proprietary + Confidential Proprietary + Confidential Why "site"? Why not

    "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

  19. Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

  20. Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

  21. Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]

    @mikewest