Mike West mikewest

WebAppSec Charter 2019

Mission

The mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication.

Scope

Modern Web Applications are composed of many parts and technologies. They may transclude, reference or have information flows between resources at the same, related or different origins. Due to the historically coarse-grained nature of the security boundaries and principals defined for such applications, they can be very difficult to secure.

	//
	// Registration
	//
	navigator.authentication.makeCredential({
	rpDisplayName: "Acme",
	displayName: "John P. Smith",
	name: "[email protected]",
	id: "1098237235409872",
	imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
	}, [

	<!DOCTYPE html>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<script>
	// IDL stuff.
	test(t => {
	var i = document.createElement('iframe');
	assert_equals("string", i.csp);
	}, "<iframe> has a 'csp' attibute which is a string.");

	#!/bin/sh

	if [ -z "$1" ]; then
	shot_path=$(date +%Y-%m-%d-%H-%M-%S).mp4
	else
	shot_path="$*"
	fi

	trap ctrl_c INT

	//
	// On https://www.eventbrite.com/
	//
	// First, adjust the `autocomplete` attributes on the email and password form fields:
	document.querySelector('#login-email').setAttribute('autocomplete', 'username');
	document.querySelector('#login-password').setAttribute('autocomplete', 'current-password');

	// Then hook up an event listener to the form to catch typed/autofilled sign-ins:
	//
	// On the real site, they'd hook this up to the dispatcher that kicks off an XHR to login/:

	//
	// On https://profile.theguardian.com/signin
	//
	// Note: This will require relaxing the Content Security Policy on the sign-in page to
	// allow `fetch()` to access the signin endpoint at `/actions/signin`.
	//
	// First, adjust the `autocomplete` attributes on the email and password form fields:
	document.querySelector('#signin_field_email').setAttribute('autocomplete', 'username');
	document.querySelector('#signin_field_password').setAttribute('autocomplete', 'current-password');

	// On https://myaccount.nytimes.com/mobile/login/smart/index.html

	navigator.credentials.get({password: true}) // Include `{ ..., 'unmediated': true }` to grab credentials w/o chooser
	.then(c => {
	if (!c)
	return;
	c.additionalData = new FormData(document.querySelector('.loginForm'));
	c.idName = "userid";
	fetch('/mobile/login/smart/index.html', { credentials: c, method:'POST' })
	.then(r => window.location = 'http://mobile.nytimes.com');

	* w3c
	* webappsec-clear-site-data (done)
	* webappsec-cowl
	* webappsec-credential-management
	* webappsec-csp
	* webappsec-epr (done)
	* webappsec-mixed-content
	* webappsec-secure-contexts (done)
	* webappsec-referrer-policy
	* webappsec-subresource-integrity

	<html>
	<body>
	<object data="nonexistent.pdf" type="application/pdf"></object>
	</body>
	</html>

	=== BUILD TARGET llvmForJSC OF PROJECT JavaScriptCore WITH CONFIGURATION Release ===

	Check dependencies
	Base.xcconfig line 23: Unable to find included file "<DEVELOPER_DIR>/AppleInternal/XcodeConfig/AspenFamily.xcconfig"
	Base.xcconfig line 24: Unable to find included file "../../../../Internal/Configurations/HaveInternalSDK.xcconfig"

	Write auxiliary files
	/bin/mkdir -p /Users/mikewest/Repositories/WebKit/WebKitBuild/JavaScriptCore.build/Release/llvmForJSC.build
	write-file /Users/mikewest/Repositories/WebKit/WebKitBuild/JavaScriptCore.build/Release/llvmForJSC.build/llvmForJSC-generated-files.hmap
	write-file /Users/mikewest/Repositories/WebKit/WebKitBuild/JavaScriptCore.build/Release/llvmForJSC.build/llvmForJSC-own-target-headers.hmap