Web Platform Security (dotSecurity, April 2016)

Web Platform Security (dotSecurity, April 2016)

Like every large software project, browsers are accidentally broken. Put these bugs aside for the moment, and imagine an alternate universe in which the browser implements every relevant standard perfectly. Even in this sincerely mythical world, users aren't safe, because from a security perspective the internet's design is in many ways broken.

I'd like to talk about how we're beginning to mitigate some of these platform-level risks by hardening the defaults, removing barriers to TLS deployment, and giving developers access to new APIs that can be used to lock themselves down by reducing the privilege of their applications to the lowest level necessary.

3c27881a0d8695811b0fa23bd794e696?s=128

Mike West

April 22, 2016
Tweet

Transcript

  1. Web Platform Security Mike West / @mikewest / mkwst@google.com

  2. Ulysses and the Sirens - John William Waterhouse

  3. XSS <style> p { color: {{USER_COLOR}}; } </style> <p> {{USER_NAME}},

    hello! Visit this nice <a href="{{USER_URL}}">link</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->
  4. CSRF/XSSI innocent-victim.com evil.com

  5. Google's VRP

  6. None
  7. None
  8. Privilege Reduction

  9. Content Security Policy

  10. Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https: //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.

    com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton. twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https: //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph. facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media. riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis. com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn. com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https: //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay. twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https: //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https: //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https: //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https: //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
  11. Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https: //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.

    com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton. twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https: //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph. facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media. riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis. com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn. com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https: //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay. twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https: //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https: //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https: //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https: //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; twitter.com twitter.com evil.com
  12. None
  13. Content-Security-Policy: default-src https: ; script-src 'unsafe-inline' 'unsafe-dynamic' https://www.gstatic.com/recaptcha/api2/ 'nonce- dDMnKbh2kR5narOMRoBpGLQDdQl0KFCw';

    child-src https://www.google. com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; report-uri /csp.do crbug.com nonce-dDMnK... crbug.com not-crbug.com
  14. None
  15. scheme://host:port

  16. scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

  17. scheme://host:port scheme://sub2_host:port ? ? scheme://sub1_host:port

  18. None
  19. <script src="https://example.com/example-framework.js" integrity="sha384-Li9vy3DqF8tnTXui...bOxEbzJr7" crossorigin="anonymous"></script>

  20. None
  21. innocent-victim.com evil.com

  22. None
  23. None
  24. Thanks for listening; go tie your origin to a mast!

    Mike West @mikewest / mkwst@google.com