Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Platform Security @ CMS Security Summit
Search
Mike West
PRO
January 30, 2019
Programming
0
110
Web Platform Security @ CMS Security Summit
A quick overview of the kinds of things Chrome's thinking about from a web platform perspective.
Mike West
PRO
January 30, 2019
Tweet
Share
More Decks by Mike West
See All by Mike West
W3C Permissions Workshop - 2022-12-05
mikewest
PRO
0
100
Isolation by Default
mikewest
PRO
0
1.8k
The Web We Can Ship
mikewest
PRO
0
450
Web Platform Security @ CMS Security Summit 2020
mikewest
PRO
0
2.8k
Web Platform Security @ TechDays 2019
mikewest
PRO
1
160
Cookies are bad @ HTTP Workshop 2019
mikewest
PRO
0
410
Web Platform Security PhD Summit @ Google Munich
mikewest
PRO
2
900
BSides Munich
mikewest
PRO
0
320
Hardening the Web Platform - AppSec EU, 2016
mikewest
PRO
5
1.4k
Other Decks in Programming
See All in Programming
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
最新TCAキャッチアップ
0si43
0
190
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
Amazon Qを使ってIaCを触ろう!
maruto
0
410
みんなでプロポーザルを書いてみた
yuriko1211
0
280
CSC509 Lecture 12
javiergs
PRO
0
160
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
Quine, Polyglot, 良いコード
qnighy
4
650
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
300
What’s New in Compose Multiplatform - A Live Tour (droidcon London 2024)
zsmb
1
480
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
120
Featured
See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
For a Future-Friendly Web
brad_frost
175
9.4k
Making Projects Easy
brettharned
115
5.9k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
The Pragmatic Product Professional
lauravandoore
31
6.3k
The Cult of Friendly URLs
andyhume
78
6k
Designing for humans not robots
tammielis
250
25k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Transcript
Proprietary + Confidential Proprietary + Confidential Web Platform Security @
CMS Security Summit - 2019-01-30 Proprietary + Confidential Mike West,
[email protected]
, @mikewest
Proprietary + Confidential Proprietary + Confidential HTTPS
Proprietary + Confidential https://transparencyreport.google.com/https/overview
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Today
Proprietary + Confidential Proprietary + Confidential Address Bar UX: Eventually
Proprietary + Confidential Proprietary + Confidential What's next? We aim
to expire non-secure cookies early rather than sending them over non-secure connections. https://github.com/mikewest/cookies-over-http-bad
Proprietary + Confidential Proprietary + Confidential What's next? We're exploring
locking some high-entropy headers to secure connections (for example, `User-Agent` and `Accept-Lang`). https://tools.ietf.org/html/draft-west-ua-client-hints https://tools.ietf.org/html/draft-west-lang-client-hint
Proprietary + Confidential Proprietary + Confidential XSS / XSSI /
CSRF
Proprietary + Confidential Proprietary + Confidential CSP is great. You
should use it! https://csp.withgoogle.com Trusted Types looks promising. Please give us feedback! https://github.com/WICG/trusted-types/
Proprietary + Confidential Proprietary + Confidential SameSite Cookies https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02
Proprietary + Confidential Proprietary + Confidential Fetch Metadata https://mikewest.github.io/sec-metadata/
Proprietary + Confidential Proprietary + Confidential Spectre
Proprietary + Confidential Proprietary + Confidential
Proprietary + Confidential Proprietary + Confidential Site Isolation
Proprietary + Confidential Proprietary + Confidential Cross Origin Resource Policy
https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
Proprietary + Confidential Proprietary + Confidential Cross Origin Opener Policy
https://github.com/whatwg/html/issues/3740
Proprietary + Confidential Proprietary + Confidential CORS-Only Mode https://github.com/whatwg/html/issues/4175
Proprietary + Confidential Proprietary + Confidential Why "site"? Why not
"origin"? https://www.chromestatus.com/metrics/feature/timeline/popularity/739
Proprietary + Confidential Proprietary + Confidential Feature Policy https://w3c.github.io/webappsec-feature-policy/
Proprietary + Confidential Proprietary + Confidential Origin Policy https://wicg.github.io/origin-policy/
Proprietary + Confidential Proprietary + Confidential Thanks! Mike West
[email protected]
@mikewest