Tweet
Tweet

Slide 1

Slide 1 text

Proprietary + Confidential Proprietary + Confidential Web Platform Security @ CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, [email protected], @mikewest

Slide 2

Slide 2 text

Proprietary + Confidential Proprietary + Confidential HTTPS

Slide 3

Slide 3 text

Proprietary + Confidential https://transparencyreport.google.com/https/overview

Slide 4

Slide 4 text

Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

Slide 5

Slide 5 text

Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

Slide 6

Slide 6 text

Proprietary + Confidential Proprietary + Confidential What's next? We aim to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

Slide 7

Slide 7 text

Proprietary + Confidential Proprietary + Confidential What's next? We're exploring locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

Slide 8

Slide 8 text

Proprietary + Confidential Proprietary + Confidential XSS / XSSI / CSRF

Slide 9

Slide 9 text

Proprietary + Confidential Proprietary + Confidential CSP is great. You should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

Slide 10

Slide 10 text

Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

Slide 11

Slide 11 text

Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

Slide 12

Slide 12 text

Proprietary + Confidential Proprietary + Confidential Spectre

Slide 13

Slide 13 text

Proprietary + Confidential Proprietary + Confidential

Slide 14

Slide 14 text

Proprietary + Confidential Proprietary + Confidential Site Isolation

Slide 15

Slide 15 text

Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

Slide 16

Slide 16 text

Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy https://github.com/whatwg/html/issues/3740

Slide 17

Slide 17 text

Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

Slide 18

Slide 18 text

Proprietary + Confidential Proprietary + Confidential Why "site"? Why not "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

Slide 19

Slide 19 text

Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

Slide 20

Slide 20 text

Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

Slide 21

Slide 21 text

Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected] @mikewest