8 articles and links tagged with “security”
XSS (No, the _other_ 'S') - CSSConf EU 2013 Frontend Security - Frontend Conference, Zürich 2013
Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.
Securing the Client Side
At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. cough.
Content Security Policy: Feature Detection
AngularJS has recently implemented support for Content Security Policy that restricts the use of
new Function(), and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.
Secure Chrome extensions: Content Security Policy
Based on the Content Security Policy primer I wrote last week, you should have a good idea of what CSP can offer a website developer. What might not be clear is that the policies can extend beyond HTTP, a bit more deeply into the browser. Chrome offers Content Security Policy support for extensions that substantially reduce the possibility of permission leakage; this article describes how it works, and how you can use it in your extensions.
Content Security Policy: A Primer
The web’s security model is fundamentally broken, and has been since the beginning. Content Security Policy is an upcoming feature of the web platform that promises to mitigate the risk of XSS attacks, and it’s worth starting to play with now.
HTTP Strict Transport Security and You
With a simple Wi-Fi packet-sniffer, intercepting login cookies over the air is far easier than it ought to be. Happily, clever people have put together solid mitigation techniques, one of which is HTTP Strict Transport Security. I’ve implemented it on a personal site, this article describes what it is, why it’s important, and how you can use it yourself.
Some Thoughts Regarding Caja
Yesterday, Yahoo! made some announcements regarding The Future™ of many of their high profile properties. Specifically, they’re (slowly) opening up, enabling third-party developers to build applications that can be seen on and interact with your My Yahoo! page, or your mailbox. I think this is a great step, and one I wish they’d made before they laid me off.