W3C Prepares Guidance For Web Development In A Post-Spectre World

Written by Michael Larabel in Programming on 11 March 2021 at 03:26 AM EST. 19 Comments
PROGRAMMING
An editor's draft for post-Spectre web development guidance was made available by the W3C.

The W3C is preparing guidelines for web developers in better ensuring their code is safe from potential exploit by Spectre security vulnerabilities. Spectre has been public since January 2018 and concerns have been known around JIT'ed JavaScript. Made public recently though was the first "fully weaponized" exploit for Spectre beyond the early proof-of-concept code.

The editor's draft of "Post-Spectre Web Development" outlines recommendations for handling of requests, restricting any attackers' ability to load data as a document or sub-resource, preventing MIME-type confusion attacks, and restricting any attackers' ability to handle the window.
Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.

TL;DR: Your data must not unexpectedly enter an attacker’s process.

The current draft can be found at w3c.github.io.
19 Comments
Related News
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries
Mold 2.35 Released With Big Endian ARM64 Support
Rustls Multi-Threaded Performance Is Battering OpenSSL
PostgreSQL Finally Deprecates MD5 Passwords
PHP 8.4 Released With Property Hooks, Lazy Objects & Other New Features
FLTK 1.4 Released With Wayland & HiDPI Display Support
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Vulkan Video Now Enabled By Default For Radeon VCN2/VCN3 Hardware On Linux
Rustls Multi-Threaded Performance Is Battering OpenSSL
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience
KDE Starts December By Landing A Number Of New Features