Mastodawn

Lukas Weichselbaum Feb 7, 2025

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:

https://bughunters.google.com/blog/6644316274294784/secure-by-design-google-s-blueprint-for-a-high-assurance-web-framework

cc: @ddworken

Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework

Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

Lukas Weichselbaum Nov 18, 2024

I put together a bluesky starter pack with amazing web security folks like @terjanq, @SheHacksPurple, @gaz and many more: http://go.bsky.app/Uf8dZhz

Please share, join, or comment if know someone who should be on that list

Web security

Join the conversation

Bluesky Social

Lukas Weichselbaum Jan 16, 2023

Very exciting! Safari TP 161* has added support for Fetch Metadata request headers! Once support lands in Safari stable, Fetch Metadata will be supported in *all* major browser engines allowing some really interesting defences: https://web.dev/fetch-metadata

*https://webkit.org/blog/13686/release-notes-for-safari-technology-preview-161/

Protect your resources from web attacks with Fetch Metadata

Fetch Metadata is a new web platform feature designed to allow servers to protect themselves from cross-origin attacks.

web.dev

Lukas Weichselbaum Dec 19, 2022

Jerry 🦙💝🦙Dec 18, 2022

Infosec.exchange crossed 40000 accounts a few minutes ago. 7 weeks ago, we had ~180 active accounts.

Lukas Weichselbaum Dec 19, 2022

Emily Stark Dec 19, 2022

New blog post: The death of the line of death

The "line of death" is a security boundary in web browsers about separating trustworthy browser UI from untrusted web content; I think the concept is waning in utility over time.

https://emilymstark.com/2022/12/18/death-to-the-line-of-death.html

The death of the line of death

The line of death, as Eric Lawrence explained in a classic blog post, is the idea that an application should separate trustworthy UI from untrusted content. The typical example is in a web browser, where untrustworthy web content appears below the browser toolbar UI. Trustworthy content provided by the web browser must appear either in the browser toolbar, or anchored to it or overlapping it. If this separation is maintained, then untrusted content can’t spoof the trustworthy browser UI to trick or attack the user.

Emily M. Stark

Lukas Weichselbaum Dec 19, 2022

Gareth Heyes

Dec 19, 2022

Exploiting Zoom whiteboard via the clipboard. Nice find from @spaceraccoon

https://spaceraccoon.dev/analyzing-clipboardevent-listeners-stored-xss/

I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS

When is copy-paste payloads not self-XSS? When it’s stored XSS. Recently, I reviewed a Zoom’s code to uncover an interesting attack vector.

Lukas Weichselbaum Dec 18, 2022

Has anyone tried https://post.news?

Post News

Access journalism from premium publishers without subscriptions or ads. Discover, follow, and connect with diverse voices on topics you care about.

Post News

Website 🕸️	https://webappsec.dev
Google I/O 🎙️	https://speakerdeck.com/lweichselbaum/o-19-securing-web-apps-with-modern-platform-features
web.dev ✍️	https://web.dev/authors/lwe/
Bluesky 🦋	https://bsky.app/profile/webappsec.dev
Twitter :twitter:	https://twitter.com/we1x