This talk is not about Browser security...

(though I'll talk about some browser features)

... it is about developers and how we can help them

(and a little bit about what I'm doing at Mozilla too)

We Have a Problem

The web is growing (fast)

Active domains: 313 to 677 million in year to April 2012 (Netcraft)

New sites, new developers

Many of these aren't well trained in security

There is a legacy of broken stuff

Many active sites are infrequently maintained

Developers, Developers, etc.

BSIMM - 2% of devs should be security pros

Life is easier for all if the rest improve

Relying on Frameworks

Adoption takes time

e.g. PHP

Relying on Frameworks (2)

Relying on Frameworks (3)


Relying on Libraries

Relying on Tools / Services

What about the Browser?

Less diverse, easier to learn

There are many, many server technologies - fewer browsers

Implementation knowlege is transferrable

I can say 'set this header' to Django / Java / .NET devs - they'll all know what I mean

can only help with a subset of issues

any help is welcome, right?

Vulnerability: XSS

In Browser: XSS Filter

In Browser: CSP

In Browser: CSP (2)

is enabled by setting a header

X-Content-Security-Policy: default-src 'self'; img-src *; script-src 'self' *

has a report-only mode

X-Content-Security-Policy-Report-Only: default-src 'self'; img-src *; script-src 'self' *; report-uri /csp/report

Clickjacking, etc.

In Browser: X-Frame-Options

Attacks: MITM

In Browser: STS

Vulnerability: CSRF

Soon: SameDomain Cookies

So who uses this stuff?

Header survey

X-Content-Security-Policy: 0.01%



Developer Tools

Firefox Devtools


Developer awareness is a good thing