InfoconDB

Presented at LocoMocoSec 2018, April 5, 2018, 9:50 a.m. (40 minutes)

The typical way to isolate untrusted components on the web is to run them in an isolated domain. While very secure, "untrustedsite.com" is not the best place to host a lot of content like help center, forums, marketing pages. It looks bad and has a bunch of administrative overhead. Instead, an alternative is to use the CSP sandbox directive to isolate untrusted components in the "null" origin but still serve them from your main site. This is a lot easier to deploy and provides a powerful mitigation. This talk will cover how we deployed a CMS on www.dropbox.com without increasing our XSS risk; some interesting corner cases to think about; and a discussion on upcoming primitives like Suborigins that will make all of this a lot easier.

Presenters:

Devdatta Akhawe - Dropbox
Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams. He is a co-author of award-winning papers on security at top academic conferences and has also spoken at Blackhat, AppSec Cali, etc. He is also a co-editor on the Sub Resource Integrity and Sub Origins specifications at the W3C. More info about him (including how to pronounce his name) is at [devd.me](http://devd.me/).

How I learnt to play in the (CSP) Sandbox

Presenters:

Links:

Similar Presentations: