Tweet
Tweet

Slide 1

Slide 1 text

Mike West, @mikewest, [email protected] https://goo.gl/YyrmXp Hardening the Web Platform

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

https://goo.gl/MycPb7

Slide 7

Slide 7 text

"Sharpening", https://flic.kr/p/sbo18H

Slide 8

Slide 8 text

"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

Slide 9

Slide 9 text

"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

https://letsencrypt.org/

Slide 12

Slide 12 text

https://goo.gl/1r7oNF https://goo.gl/nzbqQo

Slide 13

Slide 13 text

Pro tip: Content-Security-Policy: default-src https:; report-uri /reports-r-us

Slide 14

Slide 14 text

Content-Security-Policy: upgrade-insecure-requests https://goo.gl/hcin3m

Slide 15

Slide 15 text

https://goo.gl/rStTGz

Slide 16

Slide 16 text

AppCache getUserMedia crypto.subtle.* ServiceWorker navigator.credentials navigator.geolocation PaymentRequest EME https://goo.gl/rStTGz

Slide 17

Slide 17 text

https://goo.gl/gF2clJ

Slide 18

Slide 18 text

https://goo.gl/Kd2eMQ

Slide 19

Slide 19 text

https://goo.gl/Wwpnjw https://goo.gl/fzVgNt

Slide 20

Slide 20 text

127.0.0.1 192.168.1.1 192.220.74.179 https://goo.gl/Wwpnjw

Slide 21

Slide 21 text

"Vintage Camillus 1006", https://flic.kr/p/eNbtJ8

Slide 22

Slide 22 text

https://goo.gl/Wamh7S

Slide 23

Slide 23 text

"Making CSP Great Again", https://goo.gl/74D8i5 default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status. github.com api.github.com www.google-analytics.com github-cloud.s3. amazonaws.com wss://live.github.com; font-src assets-cdn.github.com; form- action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: assets-cdn.github.com identicons.github.com www.google-analytics.com collector.githubapp.com *. gravatar.com *.wp.com *.githubusercontent.com; media-src 'none'; object-src assets-cdn.github.com; plugin-types application/x-shockwave-flash; script- src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com

Slide 24

Slide 24 text

https://goo.gl/lJq6jj https://goo.gl/GXob6d

Slide 25

Slide 25 text

https://srihash.org/

Slide 26

Slide 26 text

https://goo.gl/yxEJiO https://goo.gl/IrPX7b

Slide 27

Slide 27 text

Set-Cookie: user_session=...; path=/; secure; HttpOnly; SameSite=Lax

Slide 28

Slide 28 text

✘ Set-Cookie: __Host-SID=12345; Secure; Path=/ ✘ Set-Cookie: __Host-SID=12345 ✘ Set-Cookie: __Host-SID=12345; Secure ✘ Set-Cookie: __Host-SID=12345; Secure; Path=/subdirectory/ ✘ Set-Cookie: __Host-SID=12345; Domain=example.com ✘ Set-Cookie: __Host-SID=12345; Domain=example.com; Path=/ ✘ Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ ✘ Set-Cookie: __Secure-SID=12345; Secure; ✘ Set-Cookie: __Secure-SID=12345

Slide 29

Slide 29 text

https://goo.gl/FHAeAm

Slide 30

Slide 30 text

Credential Management API @ I/O: https://goo.gl/FbrO5x navigator.credentials.get({ "password": true, "unmediated": true }) .then(c => { if (!c) return; // Hooray, we have a credential! signInToYourApplication(c); });

Slide 31

Slide 31 text

Credential Management API @ I/O: https://goo.gl/FbrO5x function signInToYourApplication(c) { fetch("/signin", { "method": "POST", "credentials": c }) .then(r => { if (r.status == 200) { renderSignedInExperience(r); // or: window.location = "/signedin"; } else { renderUsefulErrorMessage(); } }); }

Slide 32

Slide 32 text

https://goo.gl/M5yVrc

Slide 33

Slide 33 text

https://goo.gl/eZ9SKg

Slide 34

Slide 34 text

scheme://host:port

Slide 35

Slide 35 text

scheme://host:port scheme://sub1_host:port scheme://sub2_host:port

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

Thank you! https://goo.gl/YyrmXp @mikewest [email protected]