OWASP Global AppSec Lisbon 2024

One thing's for sure - we can no longer trust all code running under the same origin as our app because of today's landscape of development where web apps are mostly composed of third party code that builders do not control.

Thus, we can no longer trustfully perform many operations we're used to blindly trust. A significant one being DOM interaction - if some code I don't trust runs in my app, how can I rest assure it doesn't manipulate the DOM and the content accessible to the user? If I present them with sensitive content, can an attacker just steal it? What stops them from changing my website's layout to phish the user?

Regulating DOM restriction is a very hard problem to solve due to how it's designed.

In this talk, we'll make it clear why DOM API is so complicated to confine, explain why this problem is so concerning, and explore noble approaches for addressing it such as SnowJS, LavaDome and LavaMoat and how they open up new possibilities for finally safely working with the DOM.