Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
January 30, 2019
Programming
0
150
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
130
Isolation by Default
mikewest
0
2k
The Web We Can Ship
mikewest
0
540
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.6k
Web Platform Security @ TechDays 2019
mikewest
1
200
Cookies are bad @ HTTP Workshop 2019
mikewest
0
510
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1.1k
BSides Munich
mikewest
0
380
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.5k
Other Decks in Programming
See All in Programming
Agentic AI: Evolution oder Revolution
mobilelarson
PRO
0
170
TipKitTips
ktcryomm
0
170
encoding/json/v2のUnmarshalはこう変わった:内部実装で見る設計改善
kurakura0916
0
410
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
460
AIコードレビューの導入・運用と AI駆動開発における「AI4QA」の取り組みについて
hagevvashi
0
450
受け入れテスト駆動開発(ATDD)×AI駆動開発 AI時代のATDDの取り組み方を考える
kztakasaki
2
570
AIに任せる範囲を安全に広げるためにやっていること
fukucheee
0
130
Angular-Apps smarter machen mit Gen AI: Lokal und offlinefähig - Hands-on Workshop!
christianliebel
PRO
0
110
ロボットのための工場に灯りは要らない
watany
10
2.8k
AI時代のシステム設計:ドメインモデルで変更しやすさを守る設計戦略
masuda220
PRO
5
960
AIとペアプロして処理時間を97%削減した話 #pyconshizu
kashewnuts
1
230
守る「だけ」の優しいEMを抜けて、 事業とチームを両方見る視点を身につけた話
maroon8021
3
850
Featured
See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
RailsConf 2023
tenderlove
30
1.4k
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
400
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
640
Statistics for Hackers
jakevdp
799
230k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
150
The untapped power of vector embeddings
frankvandijk
2
1.6k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.7k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
67
37k
Design in an AI World
tapps
0
170
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
1
480
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest
mikewest
mobilelarson
ktcryomm
kurakura0916
ivargrimstad
hagevvashi
kztakasaki
fukucheee
christianliebel
watany
masuda220
kashewnuts
maroon8021
aki_iinuma
tenderlove
katarinadahlin
kimpetersen
jakevdp
nikkihalliwell
frankvandijk
marktimemedia
akihiro_kokubo
tapps
panda_program
inesmontani
![Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]](https://files.speakerdeck.com/presentations/70872ded6ecc4d7b86a2ffbc0c082c58/slide_20.jpg){kind=link}