Loading…
Attending this event?
One Track
Lots of Flavor
View analytic
Wednesday, April 17 • 11:05am - 11:50am
Content Security Policy: A successful mess between hardening and mitigation

Sign up or log in to save this to your schedule and see who's attending!

In this talk, we distill our multi-year experience fighting XSS at Google with nonce-based Content Security Policy (CSP), one of the most misunderstood and, arguably, most powerful web mitigation techniques.

We aim to provide a technical in-depth analysis of the effectiveness of different flavors of CSP for the many classes of XSS vulnerabilities, busting myths and common misunderstandings, and explore the often fuzzy boundaries between hardening and mitigation techniques. In a world where there are a dozen major root causes of XSS, each with its own, distinct, preventive measures, we define a threat model in which CSP can provide strong defense-in-depth guarantees and enforce best coding practices, leading to a real hardening effect.
We present advanced CSP kung-fu: setting more than one policy, pinning CSP to an origin with Origin-Policy manifests, and highlight special cases with Service Workers, Web Assembly and web modules.

Finally, we share for the first time data on real-world sensitive applications where exploitation of XSS vulnerabilities has been prevented on modern browsers by CSP.
After attending this talk you will finally understand CSP, knowing its strengths and limits while appreciating its complexity and multifaceted nature.

Speakers
avatar for Michele Spagnuolo

Michele Spagnuolo

Senior Information Security Engineer, Google
Michele Spagnuolo is a Senior Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’ in the W3C Content Security Policy specification, serving as a strong mitigation... Read More →
avatar for Lukas Weichselbaum

Lukas Weichselbaum

Senior Information Security Engineer, Google
Lukas Weichselbaum is a Senior Information Security Engineer at Google focusing on security enhancements and mitigations for web applications. He co-authored the specification for ‘strict-dynamic’in the W3C Content Security Policy specification and wrote the CSP Evaluator (c... Read More →


Wednesday April 17, 2019 11:05am - 11:50am
Halele'a Room (Salon 2) 3610 Rice Street, Lihue, Hawaii 96766, USA

Attendees (2)