SlideShare a Scribd company logo

Getting Browsers to Improve the Security of Your Webapp

F
Francois Marier

The document discusses various browser security mechanisms that can help improve the security of web applications. It describes mechanisms like subresource integrity, which prevents tampering of external assets; referrer policy and noopener, which help prevent information leaks; and Content Security Policy, which helps prevent cross-site scripting attacks. It also discusses using HTTPS, HTTP-only and secure cookies, sandboxed iframes, and HTTP Strict Transport Security to further enhance security. The document provides explanations and examples of how to implement many of these browser-enforced security mechanisms.

Internet
1 of 114
Download to read offline
François Marier @fmarier Getting Browsers to Improve the Security of Your Webapp
external resources user content cookies encryption
external resources
Subresource integrity mechanism for preventing tampering of static assets
https://ajax.googleapis.com/ajax /libs/jquery/1.9.1/jquery.min.js
what would happen if that server were compromised?
Bad Things™ steal sessions leak confidential data redirect to phishing sites enlist DDoS zombies
simple solution
instead of this: <script src=”https://ajax.googleapis.com...”> integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”>
<script src=”https://ajax.googleapis.com...”> integrity=”sha256-1z4uG/+cVbhShP...” crossorigin=”anonymous”> do this:
guarantee: script won't change or it'll be blocked
rel=”noopener” mechanism for disabling the window.opener object
My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens!
My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens! kittens!!!!!!!!
<a href=”...” target=”_blank”>
window.opener.location
window.opener.location
window.opener.location = 'http://stealmypasswd.org';
My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens! kittens!!!!!!!!
Session Expired Username: Password: Log back in! kittens!!!!!!!!
Session Expired Username: Password: Log back in! esnowden **********
My Account ● Change my address ● Change my billing card ● Reset my password ● Delete my account ● Watch some cute kittens!
solutions
<a href=”...” target=”_blank”>
<a href=”...” target=”_blank” rel=”noopener”>
window.opener == null
Referrer Policy mechanism for trimming the Referer header
http://example.com/search?q=serious+medical+condition Click here for the cheapest insurance around! Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Referrer-Policy: no-referrer <meta name="referrer" content="origin"> <a href="http://example.com" referrer="origin">
Referrer-Policy: no-referrer <meta name="referrer" content="no-referrer"> <a href="http://example.com" referrer="origin">
Referrer-Policy: no-referrer <meta name="referrer" content="no-referrer"> <a href="http://example.com" referrerPolicy="no-referrer">
no-referrer no-referrer-when-downgrade same-origin strict-origin strict-origin-when-cross-origin
no-referrer no-referrer-when-downgrade same-origin strict-origin strict-origin-when-cross-origin
no-referrer no-referrer-when-downgrade same-origin strict-origin strict-origin-when-cross-origin
no-referrer no-referrer-when-downgrade same-origin strict-origin-when-cross-origin
no-referrer no-referrer-when-downgrade same-origin strict-origin-when-cross-origin https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
user content
Sandboxed iframes mechanism for restricting embedded documents
<iframe src=”resume.html”>
window.parent
seriousapp.com seriousappusercontent.com
<iframe src=”resume.html” sandbox=””>
scripts popups forms
scripts popups forms https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox
X-Content-Type-Options mechanism for disabling content type sniffing
PDF
Review Papers ● Witty-Title.pdf ● Serious-Sounding-Topic.pdf ● Series-of-buzzwords.pdf ● Celebrity-Paper.pdf ● Half-Ass-Paper.pdf
%PDF-1.5 <html> <body> <script> ... </script> </body> </html>
%PDF-1.5 <html> <body> <script> ... </script> </body> </html>
<form action=”review.cgi”> <input type=”hidden” name=”paper-id” value=”42”> <input type=”hidden” name=”score” value=”100”> </form>
X-Content-Type-Options: nosniff
Content Security Policy aka CSP mechanism for preventing XSS
telling the browser the content that is allowed to load
Hi y'all<script> alert('p0wned'); </script>! Tweet! What's on your mind?
without CSP
Hi y'all! John Doe - just moments ago p0wned Ok
with CSP
Hi y'all! John Doe - just moments ago
Content-Security-Policy: script-src 'self' https://cdn.example.com
script-src object-src style-src img-src media-src font-src connect-src ...
script-src object-src style-src img-src media-src font-src connect-src ... https://developer.mozilla.org/docs/Web/HTTP/CSP
cookies
1234
Set-Cookie: sessionid=1234
1234
1234
document.cookie
Cookie options mechanism for restricting the scope of cookies
Set-Cookie: sessionid=1234; httponly
document.cookie == null
Set-Cookie: sessionid=1234; secure
1234
good, but not great
1234
Set-Cookie: sessionid=1234
1234
666
666
Cookie prefixes mechanism for enforcing cookie restrictions
Set-Cookie: __Secure-sessionid=1234; secure
__Secure-sessionid=666
encryption
HTTPS mechanism for securing information in transit
if you're not using it, now is the time to start :)
HTTPS is not enough you need to do it properly
RC4
SHA-1 RC4
SHA-11024-bit certificates RC4
SHA-11024-bit certificates RC4 weak DH parameters
https://mozilla.github.io/server-side-tls/ssl-config-generator/
https://www.ssllabs.com/ssltest/
Strict Transport Security aka HSTS mechanism for preventing HTTPS to HTTP downgrades
telling the browser that your site should never be reached over HTTP
GET bank.com 301→ GET https://bank.com 200→ no HSTS, no sslstrip
GET bank.com → 200 no HSTS, with sslstrip
what does HSTS look like?
Strict-Transport-Security: max-age=31536000
with HSTS, with sslstrip GET https://bank.com 200→
no HTTP traffic for sslstrip to tamper with
https://hstspreload.org/
referrer policy subresource integrity noopener cookie prefixes cookie options sandboxed iframes x-content-type-options content security policy https strict transport security
Questions? feedback: francois@mozilla.com @fmarier mozilla.dev.security © 2017 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
photo credits: explosion: https://www.flickr.com/photos/-cavin-/2313239884/ kittens: https://www.flickr.com/photos/londonlooks/5693093073 cookie: https://www.flickr.com/photos/amagill/34754258/

Recommended

Preparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for TranslationPreparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for Translation
Brian Hogg
 
Brian hogg word camp preparing a plugin for translation
Brian hogg word camp preparing a plugin for translationBrian hogg word camp preparing a plugin for translation
Brian hogg word camp preparing a plugin for translation
wcto2017
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Codigo laura grau
Codigo laura grauCodigo laura grau
Codigo laura grau
Cristian Rasta
 
BrightonSEO
BrightonSEOBrightonSEO
BrightonSEO
Richard Falconer
 
Mio web
Mio webMio web
Mio web
Henry98tv
 
I pv6+at+caribbean+sector
I pv6+at+caribbean+sectorI pv6+at+caribbean+sector
I pv6+at+caribbean+sector
max Firmin
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 

Recommended

Preparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for TranslationPreparing a WordPress Plugin for Translation
Preparing a WordPress Plugin for Translation
Brian Hogg
 
Brian hogg word camp preparing a plugin for translation
Brian hogg word camp preparing a plugin for translationBrian hogg word camp preparing a plugin for translation
Brian hogg word camp preparing a plugin for translation
wcto2017
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Codigo laura grau
Codigo laura grauCodigo laura grau
Codigo laura grau
Cristian Rasta
 
BrightonSEO
BrightonSEOBrightonSEO
BrightonSEO
Richard Falconer
 
Mio web
Mio webMio web
Mio web
Henry98tv
 
I pv6+at+caribbean+sector
I pv6+at+caribbean+sectorI pv6+at+caribbean+sector
I pv6+at+caribbean+sector
max Firmin
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
The Backside of the Class (CSS Day 2015)
The Backside of the Class (CSS Day 2015)The Backside of the Class (CSS Day 2015)
The Backside of the Class (CSS Day 2015)
Stephen Hay
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
Xavier Mertens
 
CSSプリプロセッサの取扱説明書
CSSプリプロセッサの取扱説明書CSSプリプロセッサの取扱説明書
CSSプリプロセッサの取扱説明書
拓樹 谷
 
Bollean Search - NageshRao
Bollean Search - NageshRaoBollean Search - NageshRao
Bollean Search - NageshRao
Nagesh Rao is Hiring Testing People at AUS
 
google dork.pdf
google dork.pdfgoogle dork.pdf
google dork.pdf
Mahesh Pradhan
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
拓樹 谷
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...
BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...
BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...
Jon Myers
 
A Technical Look at Content - PUBCON SFIMA 2017 - Patrick Stox
A Technical Look at Content - PUBCON SFIMA 2017 - Patrick StoxA Technical Look at Content - PUBCON SFIMA 2017 - Patrick Stox
A Technical Look at Content - PUBCON SFIMA 2017 - Patrick Stox
patrickstox
 
UK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEO
UK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEOUK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEO
UK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEO
Erudite
 
SMX Advanced 2018 Solving Complex SEO Problems by Patrick Stox
SMX Advanced 2018 Solving Complex SEO Problems by Patrick StoxSMX Advanced 2018 Solving Complex SEO Problems by Patrick Stox
SMX Advanced 2018 Solving Complex SEO Problems by Patrick Stox
patrickstox
 
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
patrickstox
 
FoundConf 2018 Signals Speak - Alexis Sanders
FoundConf 2018 Signals Speak - Alexis SandersFoundConf 2018 Signals Speak - Alexis Sanders
FoundConf 2018 Signals Speak - Alexis Sanders
Alexis Sanders
 
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Peter Martin
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
拓樹 谷
 
SES Hong Kong 2013: Updating strategies: why traditional content spamming met...
SES Hong Kong 2013: Updating strategies: why traditional content spamming met...SES Hong Kong 2013: Updating strategies: why traditional content spamming met...
SES Hong Kong 2013: Updating strategies: why traditional content spamming met...
Pak Hou Cheung
 
the SEO cyborg - Moz 2018 (full edition)
the SEO cyborg - Moz 2018 (full edition)the SEO cyborg - Moz 2018 (full edition)
the SEO cyborg - Moz 2018 (full edition)
Alexis Sanders
 
對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談
Jerry
 
Link Building at Scale With a Tiny Team - Sam Oh
Link Building at Scale With a Tiny Team - Sam OhLink Building at Scale With a Tiny Team - Sam Oh
Link Building at Scale With a Tiny Team - Sam Oh
Sam Oh
 
Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...
Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...
Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...
Frederic Hardy
 
Microservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and WhyMicroservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and Why
Mark Heckler
 

More Related Content

What's hot

CSSプリプロセッサの取扱説明書
CSSプリプロセッサの取扱説明書CSSプリプロセッサの取扱説明書
CSSプリプロセッサの取扱説明書
拓樹 谷
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 

What's hot (20)

The Backside of the Class (CSS Day 2015)
The Backside of the Class (CSS Day 2015)The Backside of the Class (CSS Day 2015)
The Backside of the Class (CSS Day 2015)
 
HTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC EditionHTTP For the Good or the Bad - FSEC Edition
HTTP For the Good or the Bad - FSEC Edition
 
CSSプリプロセッサの取扱説明書
CSSプリプロセッサの取扱説明書CSSプリプロセッサの取扱説明書
CSSプリプロセッサの取扱説明書
 
Bollean Search - NageshRao
Bollean Search - NageshRaoBollean Search - NageshRao
Bollean Search - NageshRao
 
google dork.pdf
google dork.pdfgoogle dork.pdf
google dork.pdf
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...
BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...
BrightonSEO - The Search Universe - Links, Log Files, GSC and everything in b...
 
A Technical Look at Content - PUBCON SFIMA 2017 - Patrick Stox
A Technical Look at Content - PUBCON SFIMA 2017 - Patrick StoxA Technical Look at Content - PUBCON SFIMA 2017 - Patrick Stox
A Technical Look at Content - PUBCON SFIMA 2017 - Patrick Stox
 
UK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEO
UK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEOUK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEO
UK Top 5,000 Websites; Mobile Site Speed Benchmark - BrightonSEO
 
SMX Advanced 2018 Solving Complex SEO Problems by Patrick Stox
SMX Advanced 2018 Solving Complex SEO Problems by Patrick StoxSMX Advanced 2018 Solving Complex SEO Problems by Patrick Stox
SMX Advanced 2018 Solving Complex SEO Problems by Patrick Stox
 
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
 
FoundConf 2018 Signals Speak - Alexis Sanders
FoundConf 2018 Signals Speak - Alexis SandersFoundConf 2018 Signals Speak - Alexis Sanders
FoundConf 2018 Signals Speak - Alexis Sanders
 
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014Help mijn website is gehackt - Joomla User Group Den Bosch 2014
Help mijn website is gehackt - Joomla User Group Den Bosch 2014
 
モダンなCSS設計パターンを考える
モダンなCSS設計パターンを考えるモダンなCSS設計パターンを考える
モダンなCSS設計パターンを考える
 
SES Hong Kong 2013: Updating strategies: why traditional content spamming met...
SES Hong Kong 2013: Updating strategies: why traditional content spamming met...SES Hong Kong 2013: Updating strategies: why traditional content spamming met...
SES Hong Kong 2013: Updating strategies: why traditional content spamming met...
 
the SEO cyborg - Moz 2018 (full edition)
the SEO cyborg - Moz 2018 (full edition)the SEO cyborg - Moz 2018 (full edition)
the SEO cyborg - Moz 2018 (full edition)
 
對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談對抗釣魚與詐騙網站的經驗談
對抗釣魚與詐騙網站的經驗談
 
Link Building at Scale With a Tiny Team - Sam Oh
Link Building at Scale With a Tiny Team - Sam OhLink Building at Scale With a Tiny Team - Sam Oh
Link Building at Scale With a Tiny Team - Sam Oh
 

Viewers also liked

TDD and Getting Paid
TDD and Getting PaidTDD and Getting Paid
TDD and Getting Paid
Rowan Merewood
 
Introducing Azure DocumentDB - NoSQL, No Problem
Introducing Azure DocumentDB - NoSQL, No ProblemIntroducing Azure DocumentDB - NoSQL, No Problem
Introducing Azure DocumentDB - NoSQL, No Problem
Andrew Liu
 

Viewers also liked (20)

Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...
Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...
Atoum, le framework de tests unitaires pour PHP 5.3 simple, moderne et intuit...
 
Microservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and WhyMicroservices Minus the Hype: How to Build and Why
Microservices Minus the Hype: How to Build and Why
 
Debugging tricks you wish you knew - Tamir Dresher
Debugging tricks you wish you knew - Tamir DresherDebugging tricks you wish you knew - Tamir Dresher
Debugging tricks you wish you knew - Tamir Dresher
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Surfer en toute legalite sur le net
Surfer en toute legalite sur le netSurfer en toute legalite sur le net
Surfer en toute legalite sur le net
 
PhoneGap Day US 2013 - Simon MacDonald: Speech Recognition
PhoneGap Day US 2013 - Simon MacDonald: Speech RecognitionPhoneGap Day US 2013 - Simon MacDonald: Speech Recognition
PhoneGap Day US 2013 - Simon MacDonald: Speech Recognition
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
TDD and Getting Paid
TDD and Getting PaidTDD and Getting Paid
TDD and Getting Paid
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
AppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the UglyAppSec California 2017 CSP: The Good, the Bad and the Ugly
AppSec California 2017 CSP: The Good, the Bad and the Ugly
 
Sensible scaling
Sensible scalingSensible scaling
Sensible scaling
 
Of Gaps, Fillers and Empty Spaces… Fronteers2015 closing keynote
Of Gaps, Fillers and Empty Spaces… Fronteers2015 closing keynoteOf Gaps, Fillers and Empty Spaces… Fronteers2015 closing keynote
Of Gaps, Fillers and Empty Spaces… Fronteers2015 closing keynote
 
AppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSPAppSec USA 2016: Demystifying CSP
AppSec USA 2016: Demystifying CSP
 
Protect your users with Circuit breakers
Protect your users with Circuit breakersProtect your users with Circuit breakers
Protect your users with Circuit breakers
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Designing irresistible apis
Designing irresistible apisDesigning irresistible apis
Designing irresistible apis
 
Introducing Azure DocumentDB - NoSQL, No Problem
Introducing Azure DocumentDB - NoSQL, No ProblemIntroducing Azure DocumentDB - NoSQL, No Problem
Introducing Azure DocumentDB - NoSQL, No Problem
 
Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy Formation expliquer internet et la loi par Vincent Ruy
Formation expliquer internet et la loi par Vincent Ruy
 

Similar to Getting Browsers to Improve the Security of Your Webapp

Directory Submissions List
Directory Submissions ListDirectory Submissions List
Directory Submissions List
Markandey Singh
 
More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...
More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...
More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...
Shift Conference
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Jeremiah Grossman
 
Google-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareGoogle-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malware
Avast
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
Francois Marier
 

Similar to Getting Browsers to Improve the Security of Your Webapp (20)

Directory Submissions List
Directory Submissions ListDirectory Submissions List
Directory Submissions List
 
Subresource Integrity
Subresource IntegritySubresource Integrity
Subresource Integrity
 
Bootstrap 3 in Joomla!
Bootstrap 3 in Joomla!Bootstrap 3 in Joomla!
Bootstrap 3 in Joomla!
 
More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...
More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...
More Than You Ever Wanted to Know About Resource Hints - Harry Roberts (CSS W...
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
SEO voor Affiliates = E-tail update Tradetracker
SEO voor Affiliates = E-tail update TradetrackerSEO voor Affiliates = E-tail update Tradetracker
SEO voor Affiliates = E-tail update Tradetracker
 
Google-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malwareGoogle-image poisoning: How hackers use images to spread malware
Google-image poisoning: How hackers use images to spread malware
 
Plone Interactivity
Plone InteractivityPlone Interactivity
Plone Interactivity
 
Library Program Technology in Ukraine & Romania
Library Program Technology in Ukraine & RomaniaLibrary Program Technology in Ukraine & Romania
Library Program Technology in Ukraine & Romania
 
Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
Péhápkaři v Pecce: Jak na bezpečnostní hlavičky – Marek Humpolík – 23. 1. 2019
 
Poisoning Google images
Poisoning Google imagesPoisoning Google images
Poisoning Google images
 
JoomlaDay Conference_September 2023 PDF.pdf
JoomlaDay Conference_September 2023 PDF.pdfJoomlaDay Conference_September 2023 PDF.pdf
JoomlaDay Conference_September 2023 PDF.pdf
 
Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015Security and Privacy on the Web in 2015
Security and Privacy on the Web in 2015
 
Link Building at Scale: Big Links with a Tiny Team
Link Building at Scale: Big Links with a Tiny TeamLink Building at Scale: Big Links with a Tiny Team
Link Building at Scale: Big Links with a Tiny Team
 
Inbound Marketing Tools - SearchFest
Inbound Marketing Tools - SearchFestInbound Marketing Tools - SearchFest
Inbound Marketing Tools - SearchFest
 
Word camp pune 2013 security
Word camp pune 2013 securityWord camp pune 2013 security
Word camp pune 2013 security
 
Web Scraping In Ruby Utosc 2009.Key
Web Scraping In Ruby Utosc 2009.KeyWeb Scraping In Ruby Utosc 2009.Key
Web Scraping In Ruby Utosc 2009.Key
 

More from Francois Marier

Security and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power UsersSecurity and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power Users
Francois Marier
 
Hardening Firefox for Security and Privacy
Hardening Firefox for Security and PrivacyHardening Firefox for Security and Privacy
Hardening Firefox for Security and Privacy
Francois Marier
 
Outsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to DebianOutsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to Debian
Francois Marier
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
Francois Marier
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
Francois Marier
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
Francois Marier
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 
Easy logins for PHP web applications
Easy logins for PHP web applicationsEasy logins for PHP web applications
Easy logins for PHP web applications
Francois Marier
 
Persona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebPersona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole Web
Francois Marier
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users in
Francois Marier
 
Mozilla Persona for your domain
Mozilla Persona for your domainMozilla Persona for your domain
Mozilla Persona for your domain
Francois Marier
 
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
Francois Marier
 

More from Francois Marier (20)

Security and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power UsersSecurity and Privacy settings for Firefox Power Users
Security and Privacy settings for Firefox Power Users
 
Hardening Firefox for Security and Privacy
Hardening Firefox for Security and PrivacyHardening Firefox for Security and Privacy
Hardening Firefox for Security and Privacy
 
Privacy and Tracking Protection in Firefox
Privacy and Tracking Protection in FirefoxPrivacy and Tracking Protection in Firefox
Privacy and Tracking Protection in Firefox
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Supporting Debian machines for friends and family
Supporting Debian machines for friends and familySupporting Debian machines for friends and family
Supporting Debian machines for friends and family
 
Outsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to DebianOutsourcing your webapp maintenance to Debian
Outsourcing your webapp maintenance to Debian
 
URL to HTML
URL to HTMLURL to HTML
URL to HTML
 
Easy logins for Ruby web applications
Easy logins for Ruby web applicationsEasy logins for Ruby web applications
Easy logins for Ruby web applications
 
Easy logins for JavaScript web applications
Easy logins for JavaScript web applicationsEasy logins for JavaScript web applications
Easy logins for JavaScript web applications
 
You're still using passwords on your site?
You're still using passwords on your site?You're still using passwords on your site?
You're still using passwords on your site?
 
Killing Passwords with JavaScript
Killing Passwords with JavaScriptKilling Passwords with JavaScript
Killing Passwords with JavaScript
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Easy logins for PHP web applications
Easy logins for PHP web applicationsEasy logins for PHP web applications
Easy logins for PHP web applications
 
Persona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole WebPersona: a federated and privacy-protecting login system for the whole Web
Persona: a federated and privacy-protecting login system for the whole Web
 
Taking the pain out of signing users in
Taking the pain out of signing users inTaking the pain out of signing users in
Taking the pain out of signing users in
 
Mozilla Persona for your domain
Mozilla Persona for your domainMozilla Persona for your domain
Mozilla Persona for your domain
 
Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?Passwords and freedom: can we lose the former and retain the latter?
Passwords and freedom: can we lose the former and retain the latter?
 
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
Login de usuários: podemos fazer algo melhor que usar senhas ou serviços cent...
 
The problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about itThe problem with passwords on the web and what to do about it
The problem with passwords on the web and what to do about it
 

Recently uploaded

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
SOFTTECHHUB
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
gragchanchal546
 

Recently uploaded (20)

Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsx
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
South Bopal [ (Call Girls) in Ahmedabad ₹7.5k Pick Up & Drop With Cash Paymen...
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 

Getting Browsers to Improve the Security of Your Webapp