Defense-in-Depth Techniques for Modern Web Applications and Google’s Journey with CSP - Michele Spagnuolo and Lukas Weichselbaum

Defense-in-Depth Techniques for Modern Web Applications and Google’s Journey with CSP - Michele Spagnuolo and Lukas Weichselbaum

In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy.

In addition to that, we explain new features of the upcoming CSP 3 specification like ‘unsafe-hashed-attributes’ and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google.

B93d727fa7239b83dd27194ede1e86ef?s=128

Michele Spagnuolo

April 13, 2018
Tweet