Presentation Browser-side security: Mitigate the risk of XSS

The most secure application does nothing at all, which isn't particularly interesting in today's world of web interfaces with functionality we couldn't have dreamed of 2 years ago. We want to create these brilliant experiences, but doing so while ensuring that sensitive user data remains totally secure is a difficult proposition.

Here, we'll explore a few of the fortified bastions that modern browsers make available to us: Content Security Policy (and other interesting HTTP headers), sandboxed iframes, the Web Cryptography API, and MessagePorts give our applications the tools we need to lock down our applications and securely communicate cross-origin.


PDF: slides.pdf


No privilege, no risk

No privilege, no risk A client-side security cornucopia Mike West G+: Twitter: @mikewest Slides: #DV13-security @mikewest

Step 0: Encrypt all traffic.

Step 0: Encrypt all traffic. "Enigma" - skittledog,

Set-Cookie: ...; secure; HttpOnly

Set-Cookie: ...; secure; HttpOnly


Strict-Transport-Security: max-age=2592000; includeSubDomains


Public-Key-Pins: max-age=2592000; pin-sha256="4n972H…yw4uqe/baXc="

Limit Unanticipated Framing.

Limit Unanticipated Framing. "Framed in the Valley" - cobalt123,

Click me! I am happy!

Click me! I am happy!

X-Frame-Options: DENY

X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN

"X-Frame-Options: All about Clickjacking?"

"X-Frame-Options: All about Clickjacking?"

Prevent MIME-Type Sniffing.

Prevent MIME-Type Sniffing. "Sniff" - tiny banquet committee,

X-Content-Type-Options: nosniff

X-Content-Type-Options: nosniff

Mitigate content injection.

Mitigate content injection. "Finance - Financial Injection - Finance" - doug8888,




Hello {{USER_NAME}}, view your Account.

"I discount the

"I discount the probability of perfection." -Alex Russell

"We are all idiots

"We are all idiots with deadlines." -Mike West

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; mode=block or X-XSS-Protection: 0 but not X-XSS-Protection: 1


X-XSS-Protection: 1; mode=block; report=


Content-Security-Policy: default-src 'none'; style-src; frame-src; script-src; img-src 'self'; font-src


Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri


Content-Security-Policy-Report-Only: default-src https:; report-uri { "csp-report": { "document-uri": "", "referrer": "", "blocked-uri": "", "violated-directive": "default-src 'self'", "original-policy": "...", "source-file": "", "line-number": 10, "column-number": 11, } }

Click me!

Click me! function handleClick() { ... } function init() { for (var e in document.querySelectorAll('.clckr')) e.addEventListener('click', handleClick); }


Content-Security-Policy: script-src 'nonce-afbvjn+afpo-j1qer'; Click me!


Content-Security-Policy: script-src 'sha256-afbvjn+...afpo-j1qer'; Click me!

Limit IFrame Capabilities

Limit IFrame Capabilities "Sandbox Shadow" - Scott Robinson,

Limit IFrame Capabilities

Limit IFrame Capabilities "Sandbox Shadow" - Scott Robinson,

Secure Cross-Origin Communication

Secure Cross-Origin Communication "Vandalised Red Telephone Box" - Jon Pinder,

Moar Encryption

Moar Encryption "Enigma" - skittledog, Thanks! Mike West G+: Twitter: @mikewest Slides: