$30 off During Our Annual Pro Sale. View Details »

Web Application Security: future standards and technologies

oxdef
June 06, 2015

Web Application Security: future standards and technologies

OWASP Russia Meetup #3

oxdef

June 06, 2015
Tweet

More Decks by oxdef

Other Decks in Programming

Transcript

  1. OWASP Russia Meetup #3
    Web Application Security: future standards and
    technologies

    View Slide

  2. View Slide

  3. View Slide

  4. Web Application Security Working
    Group
    The mission of the Web Application Security
    Working Group, part of the Security Activity, is to
    develop security and policy mechanisms to
    improve the security of Web Applications, and
    enable secure cross-origin communication.
    http://www.w3.org/2014/12/webappsec-charter-2015

    View Slide

  5. Agenda

    CSP2 (very shortly)

    Subresource Integrity

    Referrer Policy

    Credential Management API

    Confinement with Origin Web Labels

    Entry Point Regulation for Web Applications

    View Slide

  6. CSP2

    www.w3.org/TR/CSP2/

    nonces & hashes!!!11111

    frame-ancestors to replace X-Frame-
    Options

    unsafe-redirect

    The CSP HTTP Request Header

    More information in violation reports

    View Slide

  7. CSP2 nonces
    Content-Security-Policy: default-src
    'self'; script-src 'self'
    https://example.com 'nonce-
    Nc3n83cn...9hc3'
    <br/>alert("Allowed because nonce is<br/>valid.")<br/>

    View Slide

  8. Subresource Integrity

    www.w3.org/TR/SRI/

    Integrity verification via cryptographic hash
    src="https://example.com/example-
    framework.js" integrity="sha256-
    C6CB9UYIS9UJeq...5Twh+Y5qFQmYg="
    crossorigin="anonymous">

    View Slide

  9. View Slide

  10. RefeRRer Policy

    www.w3.org/TR/referrer-policy/



    None, None when downgrade, Origin Only,
    Origin when cross-origin, Unsafe URL

    View Slide

  11. Credential Management API

    www.w3.org/TR/credential-management-1/

    Allow websites to more directly interact with the
    user agent’s credential manager

    Help to detect sign-in via a third-party

    Changing Password

    View Slide

  12. Password-based Sign-in
    navigator.credentials.get({
    "types": [ "password" ]
    }).then(
    function(credential) {
    if (!credential) {
    // show basic form
    return;
    }
    if (credential.type == "PasswordCredential") {
    credential.send("https://example.com/login")
    .then(function (response) {
    // signin succeeded!
    });
    } else {
    // See the Federated Sign-in example
    }
    });

    View Slide

  13. And the last...

    Confinement with Origin Web Labels

    Entry Point Regulation for Web Applications

    Permissions API

    Suborigin Namespaces

    Mixed Content

    User Interface Security Directives for Content
    Security Policy

    View Slide

  14. View Slide

  15. Thanks!
    mailto:[email protected]

    View Slide