Web Directions Safe 2023 security, privacy, identity

Session Details

Bjarki Ágúst Guðmundsson

Eliminating XSS by adopting Trusted Types

Bjarki Ágúst Guðmundsson Security Engineer Google

Year after year, Cross-Site Scripting (XSS) continues to be the most expensive type of web vulnerability found in bug bounty programs. The most common variant of XSS occurs on the client side, when untrusted user input is passed to dangerous DOM APIs. Trusted Types is a novel web browser API designed to eliminate DOM-based XSS. It locks down dangerous DOM sinks, asking developers to prove that input is safe by using an appropriate security policy to avoid triggering a Trusted Types violation. Analyzing results from Google's Vulnerability Reward Program, it has been shown to prevent at least 61% of DOM-based XSS that Google's static code analysis pipeline missed. In this talk we show how web applications can significantly strengthen their security posture against DOM-based XSS by adopting Trusted Types, as well as the steps required to identify, fix, and prevent future Trusted Types violations.

Bjarki Ágúst Guðmundsson

Bjarki has a strong technical background in computer science, having started at an early age developing websites. He holds an M.Sc. in Computer Science and a B.Sc. in Discrete Mathematics from Reykjavík University, with a short academic career resulting in several peer-reviewed publications and talks on international conferences, both in the field of Computer Science and Mathematics. Bjarki previously worked as an information security consultant, performing everything from application assessments to real-world attack simulations. At Google, Bjarki carries out security hardening of application frameworks, develops inherently secure APIs, and compiler guards that guide developers to these APIs.

Don't miss your chance to see Bjarki Ágúst Guðmundsson and many other inspiring speakers at Safe '21.

Tickets start at $195.

Register Now

security, privacy, identity for front end developers

Register Now

Code of Conduct

For over a decade, we've worked hard to create inclusive, fun, inspring and safe events for the Web Industry.

As part of our commitment to these values, we've adopted a code of conduct for all involved: ourselves, our speakers, our partners and our audience.

If you have any concern or feedback, please don't hesitate to contact us.