Lukas Weichselbaum

@[email protected]
297 Followers
400 Following
17 Posts
Senior Staff Manager & TL at Google's Information Security Engineering team.
Passionate about web security – in particular CSP, Fetch Metadata, COOP and Trusted Types. Opinions are my own.
Website 🕸️https://webappsec.dev
Google I/O 🎙️https://speakerdeck.com/lweichselbaum/o-19-securing-web-apps-with-modern-platform-features
web.dev ✍️https://web.dev/authors/lwe/
Bluesky 🦋https://bsky.app/profile/webappsec.dev
Twitter :twitter:https://twitter.com/we1x
Lukas WeichselbaumFeb 7, 2025

Building secure web apps shouldn't be a burden. We've built a high-assurance web framework at Google that makes security easy for developers. Learn about our "Secure by Design" approach and how it works in our new blog post:

https://bughunters.google.com/blog/6644316274294784/secure-by-design-google-s-blueprint-for-a-high-assurance-web-framework

cc: @ddworken

Blog: Secure by Design: Google's Blueprint for a High-Assurance Web Framework

Learn more about how Google has created and deployed a high-assurance web framework that almost completely eliminates exploitable web vulnerabilities.

Lukas WeichselbaumNov 18, 2024

I put together a bluesky starter pack with amazing web security folks like @terjanq, @SheHacksPurple, @gaz and many more: http://go.bsky.app/Uf8dZhz

Please share, join, or comment if know someone who should be on that list

Web security

Join the conversation

Bluesky Social
Show threadLukas WeichselbaumFeb 3, 2023
@Oreoshake @vcsjones @koto That's great news! Always happy to hear about these. Thank you @Oreoshake and @vcsjones!
Lukas WeichselbaumJan 16, 2023

Very exciting! Safari TP 161* has added support for Fetch Metadata request headers! Once support lands in Safari stable, Fetch Metadata will be supported in *all* major browser engines allowing some really interesting defences: https://web.dev/fetch-metadata

*https://webkit.org/blog/13686/release-notes-for-safari-technology-preview-161/

Protect your resources from web attacks with Fetch Metadata

Fetch Metadata is a new web platform feature designed to allow servers to protect themselves from cross-origin attacks.

web.dev
Show threadLukas WeichselbaumDec 22, 2022
@ianopolous @peergos you may also want to restrict `form-action` action then to prevent exfiltration via JS submitted forms.
Show threadLukas WeichselbaumDec 22, 2022
@ianopolous @peergos Yes, being in a sandboxed iframe probably helps if you can control the CSP (and frame-src) for that frame as well.
Show threadLukas WeichselbaumDec 22, 2022
@ianopolous @peergos Full exfiltration protection would be hard to achieve for CSP and is not something CSP was designed for. Furthermore, the proposed navigate-to directive has been deprecated due to security issues it would introduce (iirc the implementation would have allowed certain information leaks): https://github.com/w3c/webappsec-csp/pull/564
Remove `navigate-to`. by mikewest · Pull Request #564 · w3c/webappsec-csp

Though there's an implementation of this directive behind a flag in Chromium, it's not something that any vendor has shipped, and there are real concerns about information leaks that it enables. Th...

GitHub
Show threadLukas WeichselbaumDec 21, 2022
@ianopolous @peergos Hi Ian, this is an interesting proposal. CSP can usually not prevent exfiltration of data once untrusted/malicious scripts can be executed in the origin where the sensitive data lives. For example CSP does not restrict navigation and therefore navigating a site (or opening a new window) can be used to exfiltrate data. E.g. navigating to example.com?x=some-data.
However, I don't know your setup so my comment may or may not be accurate here.
You can find more examples on slide 25 here: https://conference.hitb.org/hitbsecconf2018ams/materials/D2T2%20-%20Michele%20Spagnuolo%20&%20Lukas%20Weichselbaum%20-%20Defense-in-Depth%20Techniques%20for%20Modern%20Web%20Applications%20and%20Google%E2%80%99s%20Journey%20with%20CSP.pdf
Lukas WeichselbaumDec 19, 2022
Jerry 🦙💝🦙Dec 18, 2022
Infosec.exchange crossed 40000 accounts a few minutes ago. 7 weeks ago, we had ~180 active accounts.
Lukas WeichselbaumDec 19, 2022
Emily StarkDec 19, 2022

New blog post: The death of the line of death

The "line of death" is a security boundary in web browsers about separating trustworthy browser UI from untrusted web content; I think the concept is waning in utility over time.

https://emilymstark.com/2022/12/18/death-to-the-line-of-death.html

The death of the line of death

The line of death, as Eric Lawrence explained in a classic blog post, is the idea that an application should separate trustworthy UI from untrusted content. The typical example is in a web browser, where untrustworthy web content appears below the browser toolbar UI. Trustworthy content provided by the web browser must appear either in the browser toolbar, or anchored to it or overlapping it. If this separation is maintained, then untrusted content can’t spoof the trustworthy browser UI to trick or attack the user.

Emily M. Stark