Recent Web Security Technology, by Lieven Desmet
The de facto security policy in web applications is the Same-Origin Policy (SOP). From the early start, it was meant to confine websites within their origin, while still allowing navigation between different sites. In practice however, the origin-bound security model turns out to be too permissive as well as too restrictive.
In this talk, I will discuss various security mechanisms, being proposed within various web standardization activities and by browser vendors. These mechanisms allow the website owner to have more control over the confinement of third-party content within his site (e.g. the integration of third-party scripts and inner frames), and over the way his content is used by external sites.
All these security mechanisms have a similar deployment pattern: security policies are defined by the website owner, and are enforced by security controls within the browser environment. Important examples of such recent web security technology are the HTML5 sandbox attribute, the Origin header and Cross-Origin Resource Sharing protocol, the X-Frame-Options header, HTTP Strict Transport Security (HSTS) and the Content Security Policy (CSP).
+ Understand the origin-based separation model in web applications
+ Gain insight in upcoming web security technology, being standardized as part of the web infrastructure (HTML5 sandbox, Origin header, CORS, X-Frame-Options, CSP, HSTS, ...)
+ Understand the benefits and drawbacks of these mechanisms for coarse-grained website confinement within the browser
This lecture was delivered by Lieven Desmet at SecAppDev 2014 in Leuven.
Lieven Desmet is Research Manager on Secure Software within the iMinds-DistriNet Research Group at the KU Leuven. His interests are in software security and the security of web-enabled technologies. He is on the Belgium OWASP chapter board.
As research manager, Lieven Desmet coordinates the different security research tracks within DistriNet, outlines new research programs and coaches junior researchers in (web) application security. In particular, he follows up on valorization opportunities and collaborations with industrial partners.