W3C Prepares Guidance For Web Development In A Post-Spectre World

Written by Michael Larabel in Programming on 11 March 2021 at 03:26 AM EST. 19 Comments
An editor's draft for post-Spectre web development guidance was made available by the W3C.

The W3C is preparing guidelines for web developers in better ensuring their code is safe from potential exploit by Spectre security vulnerabilities. Spectre has been public since January 2018 and concerns have been known around JIT'ed JavaScript. Made public recently though was the first "fully weaponized" exploit for Spectre beyond the early proof-of-concept code.

The editor's draft of "Post-Spectre Web Development" outlines recommendations for handling of requests, restricting any attackers' ability to load data as a document or sub-resource, preventing MIME-type confusion attacks, and restricting any attackers' ability to handle the window.
Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.

TL;DR: Your data must not unexpectedly enter an attacker’s process.

The current draft can be found at w3c.github.io.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week