Devdatta Akhawe
Friday, Sep 7, 2018 at 11:30 AM in 380 Soda Hall
Title: How I learnt to play in the CSP Sandbox
Abstract: The typical way to isolate untrusted components on the web is to run them in an isolated domain. While very secure, "untrustedsite.com" is not the best place to host a lot of content like help center, forums, marketing pages. It looks bad and has a bunch of administrative overhead. Instead, an alternative is to use the CSP sandbox directive to isolate untrusted components in the "null" origin but still serve them from your main site. This is a lot easier to deploy and provides a powerful mitigation. This talk will cover how we deployed a CMS on www.dropbox.com without increasing our XSS risk; some interesting corner cases to think about; and a discussion on upcoming primitives like Suborigins that will make all of this a lot easier.
Bio: Dev is a Director of Security Engineering at Dropbox, where he heads production security. Before Dropbox, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams. He is a co-author of award-winning papers on security at top academic conferences and has also spoken at Blackhat, AppSec Cali, etc. He is also a co-editor on the Sub Resource Integrity and Sub Origins specifications at the W3C. More info about him (including how to pronounce his name) is at devd.me.