[4] [[セキュリティー]]は、 [[Web]] においても重要です。

* 起源

[FIG(short list)[ [14] [[Web]] [[起源]]モデル
- [[同一起源ポリシー]]
-- [[起源]]
-- [[同じ起源]]
- [[CORS]]
-- [CODE[crossorigin]]
- [CODE(HTTP)@en[[[Origin:]]]]
- [CODE[document.domain]]
- [[Public Suffix List]]
- [[port blocking]]
- [[origin-clean]]
- [CODE[Secure]]
- [[CORB]]
- [[CORP]]
- [[COEP]]
- [CODE(HTTP)@en[[[X-Frame-Options:]]]]

[HISTORY[
- [CODE[crossdomain.xml]]
- [[セキュリティーゾーン]]
- [CODE[navigator.security]]
]HISTORY]
]FIG]

* 輸送路

[FIG(short list)[ [16] 輸送路安全性
- [[保安輸送路]]
- [[TLS]]
- [[HTTPS]]
- [[HSTS]]
- [[HTTPS状態]]
- [[Mixed Content]]
- [CODE[HTTPOnly]]
- [CODE(HTTP)@en[Content-MD5:]]

[HISTORY[
- [[S-HTTP]]
- [[Form Signing]]
- [CODE(HTTP)@en[Digest:]]
- [[Opportunistic Security]]
]HISTORY]
]FIG]

* 機能

[FIG(short list)[ [15] [[機能]]制限
- [CODE(HTTP)@en[[[X-Content-Type-Options:]]]]
- [CODE(HTTP)@en[[[X-XSS-Protection:]]]]
- [[CSP]]
- [CODE(HTMLa)@en[[[sandbox]]]]
- [CODE(HTMLa)@en[integrity]] ([[SRI]])
- [[Permission API]]
- [[triggered by user activation]]

[HISTORY[
- [[EPR]]
- [CODE(JS)@en[[[taintEnabled]]]]
]HISTORY]
]FIG]

[FIG(short list)[ [17] [[要求]]の情報
- [CODE[Referer:]]
- [[Referrer Policy]]
- [CODE[Sec-Fetch-*:]]
]FIG]


* 暗号化

[FIG(short list)[ [7] [[暗号化]]と[[署名]]
- [[cipher suite]]
- [[Web Crypto]]
- [[JWS]]
- [[JWE]]
]FIG]

* 認証

[FIG(short list)[ [8] [[Web]] [[認証]]プロトコル
- [[HTTP認証]]
- [[Cookie認証]]
- [[OAuth]]
- [[OpenID]]
- [[セッションID]]
- [[BrowserID]]
- [[JWT]]
- [CODE[<input type=password>]]

[HISTORY[
- [[かんたんログイン]]
- [[WSSE認証]]
]HISTORY]
]FIG]

[FIG(short list)[ [9] [[証明書]]と[[鍵]]
- [[PKI]]
- [[PKIX]]
- [[証明書]]
- [[OCSP]]
- [[service identity]]
- [[SSLクライアント認証]]
- [[JWK]]

[HISTORY[
- [CODE(HTMLe)@en[[[keygen]]]]
- [[PKP]]
]HISTORY]
]FIG]

* プライバシー

[FIG(short list)[ [10] [DFN[Webのプライバシー]]
- [[fingerprinting vector]]
- [[a plausible language]]

[HISTORY[
- [[DNT]]
- [[P3P]]
]HISTORY]
]FIG]


* 安全性に関する機能

[FIG(short list)[
- [CODE(HTTP)@en[[[Prefer:Safe]]]]

[HISTORY[
- [CODE(HTTP)@en[[[PICS-Label:]]]]
- [[POWDER]]
]HISTORY]
]FIG]


* Web のよくある脆弱性

[6] 
[FIG(short list)[
- [[XSS]]
- [[CSRF]]
- [[クリックジャッキング]]
- [[SQLインジェクション]]
- [[セッション固定攻撃]]
- [[ブラクラ]]
- [[basic認証ブラクラ]]
- [[フィッシング]]
- [[開放型リダイレクト器]]
- [[JSONP]]
- [[CSSXSS]]
- [[スーパークッキー]]
- [[Webバグ]]
- [[DoS攻撃]]/[[DDoS攻撃]]
- [[CRIME攻撃]]/[[BREACH攻撃]]
- [[cross-protocol attack]]
- [[XML entity explosion attack]]
- [["Pixel Perfect" attack]]
- [[HEIST]]
- [[URL Scheme Hijacking]]
- [[URL injection]]
- [CODE[TRACE]]
- [[サイバーノーガード戦法]]
- [[プロトコル横断攻撃]]
- [[アプリ内ブラウザー]]の不正利用
]FIG]

* セキュリティーに関する団体

[5] 
[FIG(short list)[
- [[webappsec]]
- [[CA/Browser Forum]]
]FIG]

* メモ

[12] [[DRM]] ([[EME]]) を「[[セキュリティー]]」だと主張する人もいます。

[11] >>12 実際は[[プライバシー]]侵害で攻撃なんだが

[1] [CITE@en[Strawman Self-Review Questionnaire: Security and Privacy]]
([TIME[2015-01-17 01:08:42 +09:00]] 版)
<https://mikewest.github.io/spec-questionnaire/security-privacy/>

[2] [CITE@en[Self-Review Questionnaire: Security and Privacy]]
([TIME[2015-12-08 18:51:26 +09:00]] 版)
<http://www.w3.org/TR/2015/NOTE-security-privacy-questionnaire-20151210/>

[3] [CITE@en[Self-Review Questionnaire: Security and Privacy]]
([TIME[2015-04-24 16:39:21 +09:00]] 版)
<https://w3ctag.github.io/security-questionnaire/>

[13] [CITE@en[jbtronics/CrookedStyleSheets: Webpage tracking only using CSS (and no JS)]]
([TIME[2018-01-19 19:02:25 +09:00]])
<https://github.com/jbtronics/CrookedStyleSheets>