Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Mitigate Maliciousness -- jQuery Europe 2013
Ähnlich wie Mitigate Maliciousness -- jQuery Europe 2013 (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Mitigate Maliciousness -- jQuery Europe 2013
- 1. Mitigate Maliciousness Mike West https://mikewest.org/ G+: https://mkw.st/+ Twitter: @mikewest
- 3. <script> doAstoundinglyAwesomeThing(); </script> <script> sneakilyExfiltrateUserData(); </script>
- 7. <style> p { color: {{USER_COLOR}}; } </style> <p> Hello {{USER_NAME}}, view your <a href="{{USER_URL}}">Account</a>. </p> <script> var id = {{USER_ID}}; </script> <!-- DEBUG: {{INFO}} -->
- 10. “I discount the probability of perfection.” -Alex Russell
- 11. Not “if”, but “when”.
- 12. Before all else, send data securely
- 17. $ curl -I http://mkw.st/ HTTP/1.1 301 Moved Permanently Server: nginx/1.3.7 Date: Sun, 11 Nov 2012 19:36:15 GMT Content-Type: text/html Content-Length: 184 Connection: keep-alive Keep-Alive: timeout=20 Location: https://mkw.st/
- 18. Set-Cookie: ...; secure; HttpOnly
- 19. Strict-Transport-Security: max-age=2592000; includeSubDomains
- 20. Public-Key-Pins: max-age=2592000; pin-sha1="4n972H…60yw4uqe/baXc="; pin-sha1="IvGeLsbqzP…j2xVTdXgc=" http://tools.ietf.org/html/draft-ietf-websec-key-pinning
- 22. Limit the browser’s capabilities “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” Jerome H. Saltzer, "Protection and the control of information sharing in multics"
- 26. Content-Security-Policy: default-src 'none'; style-src https://mikewestdotorg.hasacdn.net; frame-src https://www.youtube.com http://www.slideshare.net; script-src https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com; img-src 'self' https://mikewestdotorg.hasacdn.net https://ssl.google-analytics.com data:; font-src https://mikewestdotorg.hasacdn.net
- 27. Content-Security-Policy: default-src ...; script-src ...; object-src ...; style-src ...; img-src ...; media-src ...; frame-src ...; font-src ...; connect-src ...; sandbox ...; report-uri https://example.com/reporter.cgi
- 28. <script> function handleClick() { ... } </script> <button onclick="handleClick()">Click me!</button> <a href="javascript:handleClick()">Click me!</a>
- 29. <!-- index.html --> <script src="clickHandler.js"></script> <button class="clickable">Click me!</button> <a href="#" class="clickable">Click me!</a> <!-- clickHandler.js --> function handleClick() { ... } document.addEventListener('DOMContentLoader', function() { for (var e in document.querySelectorAll('.clickable')) e.addEventListener('click', clickHandler); });
- 30. Content-Security-Policy-Report-Only: default-src https:; report-uri https://example.com/csp-violations { "csp-report": { "document-uri": "http://example.org/page.html", "referrer": "http://evil.example.com/haxor.html", "blocked-uri": "http://evil.example.com/image.png", "violated-directive": "default-src 'self'", "original-policy": "...", "line-number": "10" } }
- 31. http://www.html5rocks.com/en/tutorials/ security/content-security-policy/
- 32. Remember two things: HTTPS: http://goo.gl/Pw6wU CSP: http://goo.gl/QcuaK Questions? mkwst@google.com mkw.st/+ @mikewest
- 34. <iframe src="page.html" sandbox></iframe> <!-- * Unique origin * No plugins. * No script. * No form submissions. * No top-level navigation. * No popups. * No autoplay. * No pointer lock. * No seamless iframes. -->
- 35. <iframe src="page.html" sandbox="allow-forms allow-pointer-lock allow-popups allow-same-origin allow-scripts allow-top-navigation"></iframe> <!-- * No plugins. * No seamless iframes. -->
- 36. <!-- User-generated content? (in The Near Future™) --> <iframe seamless srcdoc="<p>This is a comment!</p>" sandbox></iframe>
- 37. http://www.html5rocks.com/en/tutorials/ security/sandboxed-iframes/