Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Web Platform Security @ CMS Security Summit
Mike West
January 30, 2019
Programming
0
51
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
mikewest
0
55
mikewest
0
84
mikewest
0
1.1k
mikewest
1
42
mikewest
0
300
mikewest
2
530
mikewest
0
230
mikewest
5
1.3k
mikewest
2
940
Other Decks in Programming
See All in Programming
borkdude
2
210
tkmnzm
0
120
keeeeen
0
110
manfredsteyer
PRO
0
110
nearmugi
0
190
madai0517
1
200
grapecity_dev
0
180
takapy
0
160
grapecity_dev
0
180
grapecity_dev
0
190
ryokbt
2
300
shiz
1
100
Featured
See All Featured
holman
461
280k
ddemaree
273
31k
shlominoach
176
7.5k
bryan
31
3.4k
vanstee
117
4.9k
gr2m
83
11k
orderedlist
PRO
328
36k
keithpitt
401
20k
rasmusluckow
318
18k
kneath
294
39k
jcasabona
8
550
mojombo
359
62k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, mkwst@google.com, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West mkwst@google.com
@mikewest
mikewest
borkdude
tkmnzm
keeeeen
manfredsteyer
nearmugi
madai0517
grapecity_dev
takapy
ryokbt
shiz
holman
ddemaree
shlominoach
bryan
vanstee
gr2m
orderedlist
keithpitt
rasmusluckow
kneath
jcasabona
mojombo
