Articles & Reviews
News Archive
Forums
Premium
Contact
Categories

Computers Display Drivers Graphics Cards Linux Gaming Memory Motherboards Processors Software Storage Operating Systems Peripherals

W3C Prepares Guidance For Web Development In A Post-Spectre World

Written by Michael Larabel in Programming on 11 March 2021 at 03:26 AM EST. 19 Comments

PROGRAMMING

An editor's draft for post-Spectre web development guidance was made available by the W3C.

The W3C is preparing guidelines for web developers in better ensuring their code is safe from potential exploit by Spectre security vulnerabilities. Spectre has been public since January 2018 and concerns have been known around JIT'ed JavaScript. Made public recently though was the first "fully weaponized" exploit for Spectre beyond the early proof-of-concept code.

The editor's draft of "Post-Spectre Web Development" outlines recommendations for handling of requests, restricting any attackers' ability to load data as a document or sub-resource, preventing MIME-type confusion attacks, and restricting any attackers' ability to handle the window.

Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.

TL;DR: Your data must not unexpectedly enter an attacker’s process.

The current draft can be found at w3c.github.io.

19 Comments

Related News

Rust 1.78 Upgrade For Linux 6.10, Dropping In-Tree "alloc" Fork To Save ~10k Lines

Cloudflare Releases Pingora 0.2 For Building Fast & Reliable Networked Systems

Wasmer 4.3 Released: WebAssembly Runtime 25% Faster On Cold Startups

Limbo Is An SQLite-Compatible OLTP DBMS Leveraging IO_uring & Rust

Python 3.13 Beta Out For Testing With Experimental JIT, Better Interactive Interpreter

Mold 2.31 Now ~10% Faster When Linking Very Large, Debug Info Enabled Binaries

About The Author

Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week

NVIDIA's Open GPU Linux Kernel Driver Will Soon Be The Default For Turing & Newer GPUs

Torvalds Voices Thoughts On Linux Mitigating Unexpected Arithmetic Overflows/Underflows

Framework Laptop EC Driver Being Prepared For Linux

Zed Code Editor Making Progress On Linux Support

GNOME Took In $556k Last Year While Spending $675.9k

SteamOS 3.6 Preview Released With Linux 6.5, Updated Arch Linux & Mesa 24.1

Red Hat Announces RHEL AI

ReactOS "Open-Source Windows" Making Good Strides On SMP CPU Support