This is Video about 'Client-Side Security Policies for the Web'
 |
| Youtube Images |
Learning objectives
+ Understand the origin-based separation model in web applications.
+ Gain insight in upcoming web security technology, being standardized as part of the web infrastructure (HTML5 sandbox, Origin header, CORS, X-Frame-Options, CSP, ...)
+ Understand the benefits and drawbacks of these mechanisms for coarse-grained website confinement within the browser
Overview
The de facto security policy in web applications is the Same-Origin Policy (SOP). From the early start, it was meant to confine websites within their origin, while still allowing navigation between different sites. In practise however, the origin-bound security model turns out to be too permissive as well as too restrictive.
In this talk, I will discuss various security mechanisms, being proposed within various web standardization activities and by browser vendors. These mechanisms allow the website owner to have more control over the confinement of third-party content within his site (e.g. the integration of third-party scripts and inner frames), and over the way his content is used by external sites.
All these security mechanisms have a similar deployment pattern: security policies are defined by the website owner, and are enforced by security controls within the browser environment. Important examples of such client-side security policies are the HTML5 sandbox attribute, the Origin header and Cross-Origin Resource Sharing protocol, the X-Frame-Options header, and the Content Security Policy (CSP).
Lieven Desmet is Research Manager on Secure Software within the DistriNet Research Group at the Katholieke Universiteit Leuven, where he coaches junior researchers in web application security and participates in dissemination and valorization activities. His interests are in software verification and security of middleware and web-enabled technologies. He is on the Belgium OWASP chapter board.
 |
| Client-Side Security Policies for the Web |
No comments:
Post a Comment