2025-08-05 –, Florentine E
Cross-site scripting (XSS) still continues to be the dominant class of bugs exploited on the web today. Over the past decade, Google's security and product teams have invested heavily in developing scalable defenses, including code hardening measures and adopting web platform features that prevent or mitigate XSS across our ecosystem. In this talk, we will provide developers with a blueprint for enabling robust XSS protections in their code.
We will share our stories of how we rolled out our two biggest runtime protections against XSS (strict Content Security Policy and Trusted Types) at scale– as well as compile-time protections that complement them– across hundreds of products accessed by billions of users. We'll share technical lessons learned and summarize our best practices to keep your code secure as well.
In addition, we will explore a bit of what the future has in store for anti-XSS protections– including what we would like to see as platform-level defaults to truly eradicate XSS as an endemic problem in all webapps.
We marked (20 minutes) as a preference in the form but we are flexible on the talk length of the "Breaking Ground" format!
Over the last decade, we have been working on a solution at-scale for injection attacks against frontend codebases that could generalize across thousands of webapps-- and we've spent quite a bit of time rolling out these mitigations to all these products! We want to share the great wealth of applied knowledge gathered from all this experience with all web developers and security professionals.
We have presented these philosophical ideas at other talks before, but the format of the "Breaking Ground" talks was especially fascinating to us! We spent a lot of time thinking about what the most useful approaches of our internally-honed approaches and tooling were, and spent some time developing external/OSS versions of it to benefit the ecosystem-- and based on some other talks covering some of these tools went, we thought a more interactive demo-based format where we could be closer to the audience would drive the point of how easily applicable these mitigation approaches are in the developer lifecycle.
Some demos we are planning, especially focused on how it fits into web security:
- https://github.com/google/strict-csp
- https://www.npmjs.com/package/safevalues
- https://www.npmjs.com/package/tsec
- https://github.com/google/safety-web
- https://github.com/google/trusted-types-helper
And given the demo-heavy nature of this session, we will also show in action some AI-automated approaches-- where used in conjunction with these tools-- can really supercharge the mitigations that you can run across your webapp codebase!
Jen Ozmen is a Software Engineer at Google, where she works on the Information Security Engineering team. She is passionate about building secure and reliable software, and she is always looking for new ways to improve the security of Google's products and services.
Aaron is a software engineer at Google who focuses on web security features and adoption across all Google products. Before working on security, he was on product teams for Google Cloud and Google Workspace. Before Google, he had a brief stint at Microsoft. Prior to big tech, he wrote a lot of Ruby on Rails code.