Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Platform Security @ CMS Security Summit

Avatar for Mike West Mike West
PRO
January 30, 2019
Programming
0
120

Web Platform Security @ CMS Security Summit

A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Avatar for Mike West

Mike West
PRO

January 30, 2019
Tweet

More Decks by Mike West

See All by Mike West
W3C Permissions Workshop - 2022-12-05
Avatar for Mike West mikewest
PRO
0
110
Isolation by Default
Avatar for Mike West mikewest
PRO
0
1.9k
The Web We Can Ship
Avatar for Mike West mikewest
PRO
0
490
Web Platform Security @ CMS Security Summit 2020
Avatar for Mike West mikewest
PRO
0
3.1k
Web Platform Security @ TechDays 2019
Avatar for Mike West mikewest
PRO
1
180
Cookies are bad @ HTTP Workshop 2019
Avatar for Mike West mikewest
PRO
0
450
Web Platform Security PhD Summit @ Google Munich
Avatar for Mike West mikewest
PRO
2
970
BSides Munich
Avatar for Mike West mikewest
PRO
0
340
Hardening the Web Platform - AppSec EU, 2016
Avatar for Mike West mikewest
PRO
5
1.5k

Other Decks in Programming

See All in Programming
Носок на сок
Avatar for Bo0oM bo0om
0
1.1k
The Missing Link in Angular’s Signal Story: Resource API and httpResource
Avatar for Manfred Steyer manfredsteyer
PRO
0
140
Empowering Developers with HTML-Aware ERB Tooling @ RubyKaigi 2025, Matsuyama, Ehime
Avatar for Marco Roth marcoroth
2
940
監視 やばい
Avatar for syossan27 syossan27
12
10k
エンジニア向けCursor勉強会 @ SmartHR
Avatar for Yuki Horikoshi yukisnow1823
3
11k
状態と共に暮らす:ステートフルへの挑戦
Avatar for ypresto ypresto
3
1.1k
RubyKaigi Dev Meeting 2025
Avatar for Aaron Patterson tenderlove
1
1.2k
Jakarta EE Meets AI
Avatar for ivargrimstad ivargrimstad
0
740
Youtube Lofier - Chrome拡張開発
Avatar for Nini ninikoko
0
2.5k
GitHub Copilot for Azureを使い倒したい
Avatar for Kento.Yamada ymd65536
1
300
Contribute to Comunities | React Tokyo Meetup #4 LT
Avatar for SASAGAWA, Kiyoshi sasagar
0
590
Memory API : Patterns, Performance et Cas d'Utilisation
Avatar for José josepaumard
1
160

Featured

See All Featured
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
23
1.6k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
523
40k
Scaling GitHub
Avatar for Zach Holman holman
459
140k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
298
20k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
35
2.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
280
13k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
378
70k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
299
50k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.7k

Transcript

  1. Proprietary + Confidential Proprietary + Confidential Web Platform Security @

    CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West, [email protected], @mikewest

  2. Proprietary + Confidential Proprietary + Confidential HTTPS

  3. Proprietary + Confidential https://transparencyreport.google.com/https/overview

  4. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today

  5. Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually

  6. Proprietary + Confidential Proprietary + Confidential What's next? We aim

    to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad

  7. Proprietary + Confidential Proprietary + Confidential What's next? We're exploring

    locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint

  8. Proprietary + Confidential Proprietary + Confidential XSS / XSSI /

    CSRF

  9. Proprietary + Confidential Proprietary + Confidential CSP is great. You

    should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/

  10. Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02

  11. Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/

  12. Proprietary + Confidential Proprietary + Confidential Spectre

  13. Proprietary + Confidential Proprietary + Confidential

  14. Proprietary + Confidential Proprietary + Confidential Site Isolation

  15. Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy

    https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header

  16. Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy

    https://github.com/whatwg/html/issues/3740

  17. Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175

  18. Proprietary + Confidential Proprietary + Confidential Why "site"? Why not

    "origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739

  19. Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/

  20. Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/

  21. Proprietary + Confidential Proprietary + Confidential Thanks! Mike West [email protected]

    @mikewest