Haunted: Chrome's vision for post-Spectre web development

Ahh, the web, an open platform where sites can communicate with each other, embed third-party content to unlock powerful features, make requests to arbitrary endpoints of other web applications...

Well. Isolation was never a thing on the web, and this creates a number of security issues ¤but Spectre took this to the next level.

In response to this new type of vulnerability, Chrome and other web browsers have worked to make attacks harder by implementing Site Isolation.But Site Isolation doesn't fix it all, and the house is still haunted: Spectre attacks are still possible. The risk is very real, and working JavaScript exploits have demonstrated the spooky potential of this class of attacks.

So, what can you do? In this session, we'll look at how you can keep your site secure and capable with Sec-Fetch- headers, Cross-Origin Opener Policy and more. We'll explore techniques and tooling that can help you adopt these features, and we'll finish with some thoughts of what Chrome envisions for the future of web security.