惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
B
Blog RSS Feed
W
WeLiveSecurity
I
InfoQ
L
Lohrmann on Cybersecurity
Simon Willison's Weblog
Simon Willison's Weblog
腾讯CDC
S
Schneier on Security
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Threat Research - Cisco Blogs
P
Palo Alto Networks Blog
Attack and Defense Labs
Attack and Defense Labs
I
Intezer
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Last Week in AI
Last Week in AI
WordPress大学
WordPress大学
Cisco Talos Blog
Cisco Talos Blog
T
The Exploit Database - CXSecurity.com
S
Securelist
T
Tailwind CSS Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
美团技术团队
Stack Overflow Blog
Stack Overflow Blog
T
Tor Project blog
博客园 - 叶小钗
Engineering at Meta
Engineering at Meta
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
C
Cybersecurity and Infrastructure Security Agency CISA
Apple Machine Learning Research
Apple Machine Learning Research
V
Visual Studio Blog
Know Your Adversary
Know Your Adversary
T
The Blog of Author Tim Ferriss
N
News and Events Feed by Topic
小众软件
小众软件
G
Google Developers Blog
F
Full Disclosure
O
OpenAI News
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
TaoSecurity Blog
TaoSecurity Blog
U
Unit 42
Jina AI
Jina AI
S
SegmentFault 最新的问题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Proofpoint News Feed
Y
Y Combinator Blog
N
News and Events Feed by Topic
K
Kaspersky official blog

Mike West

XSS (No, the _other_ Frontend Security - Frontend Conference, Zürich 2013 Debugging runtime errors with Securing the Client Side Content Security Policy: Feature Detection Chrome connects to three random domains at startup. Nerdy New Year Making Your Web Apps Accessible Using HTML5 and ChromeVox GDD Keynote: The HTML5 Demos
Web Platform Security @ CMS Security Summit 2020
Mike West · 2020-02-10 · via Mike West

Last Thursday, I had the opportunity to chat with folks in the CMS community about some client-side web security topics that I find pretty relevant today. Preparing the talk was a bit of a strange experience; I think I could have directly copied most of the slides from similar presentations I’ve given years ago, and it’s a little frustrating that they’re still so relevant. That said, this was a good opportunity to discuss some new bits and pieces that are only now coming into focus after a lot of design work and discussion.

I aimed to get a few messages across:

  1. My team is focused on two sets of web platform attacks: script injection continues to be both high risk and pervasive, and we’re rapidly discovering the side-channeled consequences of insufficient isolation. These are topics I’d love web developers to be paying attention to as well.

  2. Injection attacks can be reasonably mitigated today with a reasonably strict Content Security Policy, and I’m hopeful about our ability to more robustly address the underlying vulnerability via new tools like Trusted Types. I would love to see web developers deploy the former, and start playing around with the latter.

  3. Browsers and developers can cooperate to attenuate side-channel attacks by shifting away from the web’s embed-everything defaults, moving instead towards an opt-in model that more tightly constrains attackers’ ability to unexpectedly poke at resources. Chrome will be shipping Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy shortly, and we intend to ensure that they’re in place before enabling some APIs that risk aggravating side-channel attacks. To make this work at scale, it’s critical that we collectively help developers place priority on applying Cross-Origin-Resource-Policy assertions to intentionally-embeddable resources.

    Note that Artur Janc, et al. have put together a great explainer for Cross-Origin Resource/Embedder/Opener Policy that I’m kicking myself for not linking in the talk. So. I’m linking it here, now.

  4. I pointed folks to Securer Contexts as an area where I think browsers can revisit the minimum bar for modern applications that we set back in ~2015. Transport security seems quite insufficient to mitigate today’s threats, and nudging developers more firmly towards the tools noted above seems imminently reasonable to me.

I’d appreciate feedback on these priorities, and also on the particular mitigations proposed above. I’m hopeful that they’re generally-applicable and widely-deployable, and would love to hear how y’all see things.

For completeness, I’ll embed the slides below (but I think you’ll only get as much out of them as you’ve already gotten out of the bullets above). For those of you that were in the room, thanks for listening!

Slides

Hosted on Speaker Deck, or as a PDF.