Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
January 30, 2019
Programming
0
140
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
0
130
Isolation by Default
mikewest
0
2k
The Web We Can Ship
mikewest
0
530
Web Platform Security @ CMS Security Summit 2020
mikewest
0
3.5k
Web Platform Security @ TechDays 2019
mikewest
1
190
Cookies are bad @ HTTP Workshop 2019
mikewest
0
480
Web Platform Security PhD Summit @ Google Munich
mikewest
2
1k
BSides Munich
mikewest
0
360
Hardening the Web Platform - AppSec EU, 2016
mikewest
5
1.5k
Other Decks in Programming
See All in Programming
Media Capture and Streams: W3C仕様と現場での知見
nowaki28
0
130
Herb to ReActionView: A New Foundation for the View Layer @ San Francisco Ruby Conference 2025
marcoroth
0
240
関数の挙動書き換える
takatofukui
4
770
社内オペレーション改善のためのTypeScript / TSKaigi Hokuriku 2025
dachi023
1
470
AIコーディングエージェント(Gemini)
kondai24
0
150
テストやOSS開発に役立つSetup PHP Action
matsuo_atsushi
0
140
全員アーキテクトで挑む、 巨大で高密度なドメインの紐解き方
agatan
8
18k
Socio-Technical Evolution: Growing an Architecture and Its Organization for Fast Flow
cer
PRO
0
260
WebRTC、 綺麗に見るか滑らかに見るか
sublimer
1
140
Microservices Platforms: When Team Topologies Meets Microservices Patterns
cer
PRO
1
910
DSPy Meetup Tokyo #1 - はじめてのDSPy
masahiro_nishimi
1
150
AIコーディングエージェント(NotebookLM)
kondai24
0
120
Featured
See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
380
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
Optimising Largest Contentful Paint
csswizardry
37
3.5k
The Cost Of JavaScript in 2023
addyosmani
55
9.3k
A designer walks into a library…
pauljervisheath
210
24k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
Unsuck your backbone
ammeep
671
58k
GraphQLとの向き合い方2022年版
quramy
50
14k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
9.8k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.2k
YesSQL, Process and Tooling at Scale
rocio
174
15k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest
mikewest
nowaki28
marcoroth
takatofukui
dachi023
kondai24
matsuo_atsushi
agatan
cer
sublimer
masahiro_nishimi
malarkey
tammyeverts
bermonpainter
csswizardry
addyosmani
pauljervisheath
sstephenson
ammeep
quramy
eileencodes
rocio
![Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]](https://files.speakerdeck.com/presentations/70872ded6ecc4d7b86a2ffbc0c082c58/slide_20.jpg){kind=link}