mikewest

WebAppSec Charter 2019

Mission

The mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication.

Scope

Modern Web Applications are composed of many parts and technologies. They may transclude, reference or have information flows between resources at the same, related or different origins. Due to the historically coarse-grained nature of the security boundaries and principals defined for such applications, they can be very difficult to secure.

mikewest

//
// Registration
//
navigator.authentication.makeCredential({
  rpDisplayName: "Acme",
  displayName: "John P. Smith",
  name: "johnpsmith@example.com",
  id: "1098237235409872",
  imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
}, [

mikewest

<!DOCTYPE html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
  // IDL stuff.
  test(t => {
    var i = document.createElement('iframe');
    assert_equals("string", i.csp);
  }, "<iframe> has a 'csp' attibute which is a string.");

mikewest

#!/bin/sh

if [ -z "$1" ]; then
  shot_path=$(date +%Y-%m-%d-%H-%M-%S).mp4
else
  shot_path="$*"
fi

trap ctrl_c INT

mikewest

//
// On https://www.eventbrite.com/
//
// First, adjust the `autocomplete` attributes on the email and password form fields:
document.querySelector('#login-email').setAttribute('autocomplete', 'username');
document.querySelector('#login-password').setAttribute('autocomplete', 'current-password');

// Then hook up an event listener to the form to catch typed/autofilled sign-ins:
//
// On the real site, they'd hook this up to the dispatcher that kicks off an XHR to login/:

mikewest

//
// On https://profile.theguardian.com/signin
//
// Note: This will require relaxing the Content Security Policy on the sign-in page to
// allow `fetch()` to access the signin endpoint at `/actions/signin`.
//
// First, adjust the `autocomplete` attributes on the email and password form fields:
document.querySelector('#signin_field_email').setAttribute('autocomplete', 'username');
document.querySelector('#signin_field_password').setAttribute('autocomplete', 'current-password');

mikewest

// On https://myaccount.nytimes.com/mobile/login/smart/index.html

navigator.credentials.get({password: true}) // Include `{ ..., 'unmediated': true }` to grab credentials w/o chooser
  .then(c => {
    if (!c)
      return;
    c.additionalData = new FormData(document.querySelector('.loginForm'));
    c.idName = "userid";
    fetch('/mobile/login/smart/index.html', { credentials: c, method:'POST' })
      .then(r => window.location = 'http://mobile.nytimes.com');

mikewest

* w3c
  * webappsec-clear-site-data (done)
  * webappsec-cowl
  * webappsec-credential-management
  * webappsec-csp
  * webappsec-epr (done)
  * webappsec-mixed-content
  * webappsec-secure-contexts (done)
  * webappsec-referrer-policy
  * webappsec-subresource-integrity

mikewest

<html>                                                                                                                                        
<body>
    <object data="nonexistent.pdf" type="application/pdf"></object>
</body>
</html>

mikewest

=== BUILD TARGET llvmForJSC OF PROJECT JavaScriptCore WITH CONFIGURATION Release ===

Check dependencies
Base.xcconfig line 23: Unable to find included file "<DEVELOPER_DIR>/AppleInternal/XcodeConfig/AspenFamily.xcconfig"
Base.xcconfig line 24: Unable to find included file "../../../../Internal/Configurations/HaveInternalSDK.xcconfig"

Write auxiliary files
/bin/mkdir -p /Users/mikewest/Repositories/WebKit/WebKitBuild/JavaScriptCore.build/Release/llvmForJSC.build
write-file /Users/mikewest/Repositories/WebKit/WebKitBuild/JavaScriptCore.build/Release/llvmForJSC.build/llvmForJSC-generated-files.hmap
write-file /Users/mikewest/Repositories/WebKit/WebKitBuild/JavaScriptCore.build/Release/llvmForJSC.build/llvmForJSC-own-target-headers.hmap