Tweet
Tweet

Slide 1

Slide 1 text

Web Platform Security Mike West / @mikewest / mkwst@google.com

Slide 2

Slide 2 text

Ulysses and the Sirens - John William Waterhouse

Slide 3

Slide 3 text

XSS p { color: {{USER_COLOR}}; }

{{USER_NAME}}, hello! Visit this nice link.

var id = {{USER_ID}};

Slide 4

Slide 4 text

CSRF/XSSI innocent-victim.com evil.com

Slide 5

Slide 5 text

Google's VRP

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Privilege Reduction

Slide 9

Slide 9 text

Content Security Policy

Slide 10

Slide 10 text

Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https: //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg. com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton. twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https: //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph. facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media. riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis. com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn. com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https: //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay. twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https: //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https: //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https: //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https: //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

Slide 11

Slide 11 text

Content-Security-Policy: script-src https://connect.facebook.net https://cm.g.doubleclick.net https: //ssl.google-analytics.com https://graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg. com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton. twitter.com https://syndication.twitter.com 'nonce-uogXos0C/8QDBoxHOYtXzg==' https://www.google.com https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https: //fonts.gstatic.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://twitter.com https://*.twimg.com https://ton.twitter.com blob: 'self'; connect-src https://graph. facebook.com https://*.giphy.com https://pay.twitter.com https://analytics.twitter.com https://media. riffsy.com https://upload.twitter.com https://api.mapbox.com 'self'; style-src https://fonts.googleapis. com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn. com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self'; frame-src https: //staticxx.facebook.com https://twitter.com https://*.twimg.com https://player.vimeo.com https://pay. twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https: //vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https: //s-static.ak.facebook.com 'self' https://donate.twitter.com; img-src https://graph.facebook.com https: //*.giphy.com https://twitter.com https://*.twimg.com data: https://fbcdn-profile-a.akamaihd.net https: //www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://syndication.twitter.com https: //media.riffsy.com https://www.google.com https://stats.g.doubleclick.net https://*.tiles.mapbox.com https://www.google-analytics.com blob: 'self'; report-uri https://twitter.com/i/csp_report? a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; twitter.com twitter.com evil.com

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Content-Security-Policy: default-src https: ; script-src 'unsafe-inline' 'unsafe-dynamic' https://www.gstatic.com/recaptcha/api2/ 'nonce- dDMnKbh2kR5narOMRoBpGLQDdQl0KFCw'; child-src https://www.google. com/recaptcha/; frame-src https://www.google.com/recaptcha/; img-src https: data: blob: ; style-src https: 'unsafe-inline'; object-src 'none'; report-uri /csp.do crbug.com nonce-dDMnK... crbug.com not-crbug.com

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

scheme://host:port

Slide 16

Slide 16 text

scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

Slide 17

Slide 17 text

scheme://host:port scheme://sub2_host:port ? ? scheme://sub1_host:port

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

innocent-victim.com evil.com

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

Thanks for listening; go tie your origin to a mast! Mike West @mikewest / mkwst@google.com