Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Application Security: future standards and technologies

oxdef
June 06, 2015

Web Application Security: future standards and technologies

OWASP Russia Meetup #3

oxdef

June 06, 2015
Tweet

More Decks by oxdef

Other Decks in Programming

Transcript

  1. OWASP Russia Meetup #3
    Web Application Security: future standards and
    technologies

    View full-size slide

  2. Web Application Security Working
    Group
    The mission of the Web Application Security
    Working Group, part of the Security Activity, is to
    develop security and policy mechanisms to
    improve the security of Web Applications, and
    enable secure cross-origin communication.
    http://www.w3.org/2014/12/webappsec-charter-2015

    View full-size slide

  3. Agenda

    CSP2 (very shortly)

    Subresource Integrity

    Referrer Policy

    Credential Management API

    Confinement with Origin Web Labels

    Entry Point Regulation for Web Applications

    View full-size slide

  4. CSP2

    www.w3.org/TR/CSP2/

    nonces & hashes!!!11111

    frame-ancestors to replace X-Frame-
    Options

    unsafe-redirect

    The CSP HTTP Request Header

    More information in violation reports

    View full-size slide

  5. CSP2 nonces
    Content-Security-Policy: default-src
    'self'; script-src 'self'
    https://example.com 'nonce-
    Nc3n83cn...9hc3'
    <br/>alert("Allowed because nonce is<br/>valid.")<br/>

    View full-size slide

  6. Subresource Integrity

    www.w3.org/TR/SRI/

    Integrity verification via cryptographic hash
    src="https://example.com/example-
    framework.js" integrity="sha256-
    C6CB9UYIS9UJeq...5Twh+Y5qFQmYg="
    crossorigin="anonymous">

    View full-size slide

  7. RefeRRer Policy

    www.w3.org/TR/referrer-policy/



    None, None when downgrade, Origin Only,
    Origin when cross-origin, Unsafe URL

    View full-size slide

  8. Credential Management API

    www.w3.org/TR/credential-management-1/

    Allow websites to more directly interact with the
    user agent’s credential manager

    Help to detect sign-in via a third-party

    Changing Password

    View full-size slide

  9. Password-based Sign-in
    navigator.credentials.get({
    "types": [ "password" ]
    }).then(
    function(credential) {
    if (!credential) {
    // show basic form
    return;
    }
    if (credential.type == "PasswordCredential") {
    credential.send("https://example.com/login")
    .then(function (response) {
    // signin succeeded!
    });
    } else {
    // See the Federated Sign-in example
    }
    });

    View full-size slide

  10. And the last...

    Confinement with Origin Web Labels

    Entry Point Regulation for Web Applications

    Permissions API

    Suborigin Namespaces

    Mixed Content

    User Interface Security Directives for Content
    Security Policy

    View full-size slide