In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
54. “a web browser permits scripts contained in a first
web page to access data in a second web page,
but only if both web pages have the same origin”
same-origin policy
67. http://example.com/search?q=serious+medical+condition
Click here for
the cheapest
insurance
around!
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla. Bla bla bla, bla
bla, bla bla bla bla. Bla bla bla, bla bla, bla bla bla bla.
Bla bla bla, bla bla, bla bla bla bla.
84. “If we only use encryption when we're working with
important data, then encryption signals that data's
importance. If only dissidents use encryption in a
country, that country's authorities have an easy way of
identifying them. But if everyone uses it all of the time,
encryption ceases to be a signal. The government can't
tell the dissidents from the rest of the population. Every
time you use encryption, you're protecting someone
who needs to use it to stay alive.”
-Bruce Schneier
102. turn on full mixed-content blocking in development
103. Start by enabling HTTPS and HSTS
Use SRI for your external scripts
Set a more restrictive Referrer policy
Consider enabling CSP
Watch out for mixed content