Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues are common problems that most developers learn about – often the hard way! In addition the lack of true web isolation has led to new problems like XS-Leaks and transient execution vulnerabilities such as Spectre and Meltdown which broke the illusion that the web is immune to CPU-level bugs.
Luckily, new security mechanisms available in web browsers offer exciting features which allow developers to protect their applications. In this talk, I'll introduce these features and explain how to use them most effectively.
We’ll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.
We’ll then turn our attention to protective mechanisms implemented in modern browsers, which address entire classes of security problems. This includes CSP3 and Trusted Types to prevent XSS, followed by Fetch Metadata request headers and CORP/COOP to protect from vulnerabilities like CSRF or Spectre that arise from insufficient isolation in the web platform.