Come join us for the first annual conference! We’ve hand selected a group of industry leaders to share their experiences in the lovely setting of Kailua Kona, HI.

Read more at:  https://locomocosec.com

Early bird tickets are for sale. Buy now! 

Training passes (which include a conference ticket) are also available. Buy now!

Looking to sponsor? See our sponsor package!
Back To Schedule
Thursday, April 5 • 9:50am - 10:30am
How I learnt to play in the (CSP) Sandbox

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The typical way to isolate untrusted components on the web is to run them in an isolated domain. While very secure, "untrustedsite.com" is not the best place to host a lot of content like help center, forums, marketing pages. It looks bad and has a bunch of administrative overhead. Instead, an alternative is to use the CSP sandbox directive to isolate untrusted components in the "null" origin but still serve them from your main site. This is a lot easier to deploy and provides a powerful mitigation. This talk will cover how we deployed a CMS on www.dropbox.com without increasing our XSS risk; some interesting corner cases to think about; and a discussion on upcoming primitives like Suborigins that will make all of this a lot easier.

avatar for Devdatta Akhawe

Devdatta Akhawe

Engineering Manager, Product Safety, Dropbox
Buy your ticket today!Devdatta leads the Product Security team at Dropbox. Before that, he received a PhD in Computer Science from UC Berkeley. His graduate research focused on browser and web application security, during which time he also collaborated with the Firefox and Chrome teams.  He is a co-author... Read More →

Thursday April 5, 2018 9:50am - 10:30am HST

Attendees (2)