This is a quick summary of a presentation I gave last week at Google’s second CMS Security Summit, held here in Munich. TL;DR: Injection attacks are bad, isolation is lacking, and I’m looking forward to more collaboration on both fronts.
Recent Writing
Web Platform Security @ CMS Security Summit 2020 XSS (No, the _other_ 'S') - CSSConf EU 2013 I had the distinct pleasure of talking with folks at this year’s CSSConf EU about the dangers of content-injection attacks. They’re not just for JavaScripters, you see: CSS is dangerous too! They’ve just posted the video, and I think it’s worth a little under a half-hour of your time to skim through.
Frontend Security - Frontend Conference, Zürich 2013 Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.
Debugging runtime errors with 'window.onerror' in Blink After working with Blink’s implementation of
window.onerror
a little bit over the last week or so, I’m somewhat amazed that anyone ever used it for anything at all. Happily, we’ve made some big improvements in the last week or two that I think it’s worth highlighting here.Securing the Client Side At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. cough.
Content Security Policy: Feature Detection AngularJS has recently implemented support for Content Security Policy that restricts the use of
eval()
,new Function()
, and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.Chrome connects to three random domains at startup. When you start Chrome, it attempts to connect to three random domains. I’ve seen a few theories about why exactly this happens that brush up against the nefarious. The true rationale is incredibly mundane: hopefully this short summary will clear things up.
Nerdy New Year New Year’s resolutions come in all shapes and sizes; if you’re a web developer stuck for good ideas of things you could do to improve the world (or at least the tiny chunk of it that’s concerned with web performance and security) I’d like to propose two: secure all your websites, and use a cookieless domain for static assets.
Making Your Web Apps Accessible Using HTML5 and ChromeVox Back in November, I presented twice at the Google Developer Day in Tel-Aviv. The first of those talks has been uploaded, and I spent most of the afternoon transcribing it to post here. I wanted to give the audience (you!) an introduction to screen readers, and to building accessible websites and applications. I think it was pretty successful, and I hope you enjoy it if you watch at home.
GDD Keynote: The HTML5 Demos I had the opportunity to present a few demos during the Chrome section of Saturday’s Google Developer Day in Berlin (which, incidentally, was a blast). I expect a video to go up at some point in the vaguely near future, but, since I got more than a few questions about it, I’m throwing the links up here as a stopgap before the video’s released.