Brussels / 31 January & 1 February 2015


Web Security

WebCrypto and CSP

This talk is about how CSP and WebCrypto provides security in a web browser. It will present how security is implemented in browser. CSP provides many advantages and providing content security provide many advantages. It will also include where it is lacking and what more need to be addressed. Also includes WebCrypto provides a nice interface for interacting with the native platform security infrastructure.

This talk is about how CSP and WebCrypto provides security in a web browser. CSP is about securing content from external attacks. It provides explanation about CSP (Content Security Policy) and how it is involving from providing static content security to more dynamic content security via script-hash nonce, SubResource integrity and Per-page suborigins. Via examples it will be shown what cases how these security mechanism secure dynamic content and why these are needed.

WebCrypto is method through which user data can be used. WebCrypto API allows access to key located on the device and perform operation such as signature generation, hashing, encryption and decryption. WebCrypto provide whole set of new possibility of how information is secured. It will include the use cases for the WebCrypto, algorithm it current supports and examples on how to use WebCrypto in a device.

The CSP topic is bit of a deviation from the main topic, but WebCrypto is related as it provide layer in software to access key stored in different storage. It is an important abstraction which is vital for web developer to make use of hardware tokens.

About Me: I am a open source developer, contributing mainly to Chromium in rendering and security areas. I have worked previosuly on EU open source project, Webinos, which used PKI model to store keys and enable communication between the devices.


Habib Virji