惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
腾讯CDC
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Microsoft Azure Blog
Microsoft Azure Blog
G
Google Developers Blog
TaoSecurity Blog
TaoSecurity Blog
博客园_首页
Vercel News
Vercel News
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Last Week in AI
Last Week in AI
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
The Exploit Database - CXSecurity.com
量子位
Project Zero
Project Zero
A
Arctic Wolf
小众软件
小众软件
NISL@THU
NISL@THU
C
CERT Recently Published Vulnerability Notes
有赞技术团队
有赞技术团队
MongoDB | Blog
MongoDB | Blog
博客园 - 聂微东
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
N
News and Events Feed by Topic
宝玉的分享
宝玉的分享
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
T
Troy Hunt's Blog
P
Privacy & Cybersecurity Law Blog
Security Latest
Security Latest
B
Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
D
DataBreaches.Net
Schneier on Security
Schneier on Security
The Hacker News
The Hacker News
K
Kaspersky official blog
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Webroot Blog
Webroot Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
人人都是产品经理
人人都是产品经理
AI
AI
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
Cloudbric
Cloudbric
B
Blog RSS Feed
S
Schneier on Security
P
Palo Alto Networks Blog

Mike West

XSS (No, the _other_ Frontend Security - Frontend Conference, Zürich 2013 Debugging runtime errors with Securing the Client Side Content Security Policy: Feature Detection Chrome connects to three random domains at startup. Nerdy New Year Making Your Web Apps Accessible Using HTML5 and ChromeVox GDD Keynote: The HTML5 Demos
Web Platform Security @ CMS Security Summit 2020
Mike West · 2020-02-10 · via Mike West

Last Thursday, I had the opportunity to chat with folks in the CMS community about some client-side web security topics that I find pretty relevant today. Preparing the talk was a bit of a strange experience; I think I could have directly copied most of the slides from similar presentations I’ve given years ago, and it’s a little frustrating that they’re still so relevant. That said, this was a good opportunity to discuss some new bits and pieces that are only now coming into focus after a lot of design work and discussion.

I aimed to get a few messages across:

  1. My team is focused on two sets of web platform attacks: script injection continues to be both high risk and pervasive, and we’re rapidly discovering the side-channeled consequences of insufficient isolation. These are topics I’d love web developers to be paying attention to as well.

  2. Injection attacks can be reasonably mitigated today with a reasonably strict Content Security Policy, and I’m hopeful about our ability to more robustly address the underlying vulnerability via new tools like Trusted Types. I would love to see web developers deploy the former, and start playing around with the latter.

  3. Browsers and developers can cooperate to attenuate side-channel attacks by shifting away from the web’s embed-everything defaults, moving instead towards an opt-in model that more tightly constrains attackers’ ability to unexpectedly poke at resources. Chrome will be shipping Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy shortly, and we intend to ensure that they’re in place before enabling some APIs that risk aggravating side-channel attacks. To make this work at scale, it’s critical that we collectively help developers place priority on applying Cross-Origin-Resource-Policy assertions to intentionally-embeddable resources.

    Note that Artur Janc, et al. have put together a great explainer for Cross-Origin Resource/Embedder/Opener Policy that I’m kicking myself for not linking in the talk. So. I’m linking it here, now.

  4. I pointed folks to Securer Contexts as an area where I think browsers can revisit the minimum bar for modern applications that we set back in ~2015. Transport security seems quite insufficient to mitigate today’s threats, and nudging developers more firmly towards the tools noted above seems imminently reasonable to me.

I’d appreciate feedback on these priorities, and also on the particular mitigations proposed above. I’m hopeful that they’re generally-applicable and widely-deployable, and would love to hear how y’all see things.

For completeness, I’ll embed the slides below (but I think you’ll only get as much out of them as you’ve already gotten out of the bullets above). For those of you that were in the room, thanks for listening!

Slides

Hosted on Speaker Deck, or as a PDF.