Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
January 30, 2019
Programming
0
130
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
120
Isolation by Default
mikewest
0
1.9k
The Web We Can Ship
mikewest
0
500
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.3k
Web Platform Security @ TechDays 2019
mikewest
1
180
Cookies are bad @ HTTP Workshop 2019
mikewest
0
460
Web Platform Security PhD Summit @ Google Munich
mikewest
2
990
BSides Munich
mikewest
0
340
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.5k
Other Decks in Programming
See All in Programming
プロダクト志向ってなんなんだろうね
righttouch
PRO
0
190
PipeCDのプラグイン化で目指すところ
warashi
1
270
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
280
RailsGirls IZUMO スポンサーLT
16bitidol
0
180
ISUCON研修おかわり会 講義スライド
arfes0e2b3c
1
440
地方に住むエンジニアの残酷な現実とキャリア論
ichimichi
5
1.5k
Rubyでやりたい駆動開発 / Ruby driven development
chobishiba
1
700
git worktree × Claude Code × MCP ~生成AI時代の並列開発フロー~
hisuzuya
1
570
20250628_非エンジニアがバイブコーディングしてみた
ponponmikankan
0
680
Google Agent Development Kit でLINE Botを作ってみた
ymd65536
2
250
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
3
760
WebViewの現在地 - SwiftUI時代のWebKit - / The Current State Of WebView
marcy731
0
120
Featured
See All Featured
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
Speed Design
sergeychernyshev
32
1k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
Side Projects
sachag
455
42k
Building Adaptive Systems
keathley
43
2.7k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
510
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
Reflections from 52 weeks, 52 projects
jeffersonlam
351
20k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest