Web Application Security: future standards and technologies

Transcript

1. OWASP Russia Meetup #3
   Web Application Security: future standards and
   technologies
   

   View Slide

2. View Slide

3. View Slide

4. Web Application Security Working
   Group
   The mission of the Web Application Security
   Working Group, part of the Security Activity, is to
   develop security and policy mechanisms to
   improve the security of Web Applications, and
   enable secure cross-origin communication.
   http://www.w3.org/2014/12/webappsec-charter-2015
   

   View Slide

5. Agenda
   ●
   CSP2 (very shortly)
   ●
   Subresource Integrity
   ●
   Referrer Policy
   ●
   Credential Management API
   ●
   Confinement with Origin Web Labels
   ●
   Entry Point Regulation for Web Applications
   

   View Slide

6. CSP2
   ●
   www.w3.org/TR/CSP2/
   ●
   nonces & hashes!!!11111
   ●
   frame-ancestors to replace X-Frame-
   Options
   ●
   unsafe-redirect
   ●
   The CSP HTTP Request Header
   ●
   More information in violation reports
   

   View Slide

7. CSP2 nonces
   Content-Security-Policy: default-src
   'self'; script-src 'self'
   https://example.com 'nonce-
   Nc3n83cn...9hc3'
   <br/>alert("Allowed because nonce is<br/>valid.")<br/>
   

   View Slide

8. Subresource Integrity
   ●
   www.w3.org/TR/SRI/
   ●
   Integrity verification via cryptographic hash
   src="https://example.com/example-
   framework.js" integrity="sha256-
   C6CB9UYIS9UJeq...5Twh+Y5qFQmYg="
   crossorigin="anonymous">
   

   View Slide

9. View Slide

10. RefeRRer Policy
    ●
    www.w3.org/TR/referrer-policy/
    ●
    
    ●
    None, None when downgrade, Origin Only,
    Origin when cross-origin, Unsafe URL
    

    View Slide

11. Credential Management API
    ●
    www.w3.org/TR/credential-management-1/
    ●
    Allow websites to more directly interact with the
    user agent’s credential manager
    ●
    Help to detect sign-in via a third-party
    ●
    Changing Password
    

    View Slide

12. Password-based Sign-in
    navigator.credentials.get({
    "types": [ "password" ]
    }).then(
    function(credential) {
    if (!credential) {
    // show basic form
    return;
    }
    if (credential.type == "PasswordCredential") {
    credential.send("https://example.com/login")
    .then(function (response) {
    // signin succeeded!
    });
    } else {
    // See the Federated Sign-in example
    }
    });
    

    View Slide

13. And the last...
    ●
    Confinement with Origin Web Labels
    ●
    Entry Point Regulation for Web Applications
    ●
    Permissions API
    ●
    Suborigin Namespaces
    ●
    Mixed Content
    ●
    User Interface Security Directives for Content
    Security Policy
    

    View Slide

14. View Slide

15. Thanks!
    mailto:[email protected]
    

    View Slide