SecAppDev 2026 lecture details
The Art of Cross-site Leaks
XS-Leaks bypass the same-origin policy to infer sensitive user data via browser side-channels. Learn how these invisible attacks work, what browser vendors are doing, and the simple steps you can take to secure your applications.
Wednesday June 3rd, 14:00 - 15:30
Room West Wing
Abstract
This talk dives into the little-explored world of cross-site leaks (XS-Leaks), a class of side-channel attacks that bypass the same-origin policy. We will explore how malicious sites can infer sensitive cross-origin user data (like login state or search result) by exploiting legitimate browser behaviors such as network timing, cache hits, and frame counting. The session will cover the risks XS-Leaks pose and evaluate current browser defenses. Finally, we will provide actionable, simple steps web developers can take to secure their applications against these threats.
Key takeaway
XS-Leaks bypass SOP through side channels and native browser features; learn how SameSite and Fetch Metadata help defend your apps.
Content level
Advanced
Target audience
Web developers, security enthusiasts, CISO
Prerequisites
General understanding of web security
Join us for SecAppDev. You will not regret it!
Grab your seat now
Tom Van Goethem
Software engineer / Researcher, Google / KU Leuven
Expertise: Web security and privacy
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
An Updated Security Model of the Web
Deep-dive lecture by Philippe De Ryck in room Lemaire
Monday June 1st, 14:00 - 15:30
An up-to-date look at the browser security model, new browser features, and how mechanisms like the Sanitizer API, cookie prefixes, and script integrity help build more secure web applications.
Key takeaway: Understand how browsers think about security, and how to leverage modern browser features in your applications.
Demystifying CSP for Modern Applications
Deep-dive lecture by Philippe De Ryck in room West Wing
Wednesday June 3rd, 09:00 - 10:30
CSP is often seen as complex and frustrating. This session explains why most policies fail, how to fix them, and how to apply CSP effectively in modern applications, including single page apps.
Key takeaway: Understand why CSP often fails and learn how to implement it correctly with practical, actionable guidance.
Security by default - A European perspective on cyber resilience
Deep-dive lecture by Freddy Dezeure in room Lemaire
Monday June 1st, 09:15 - 10:30
A technical deep dive into how Microsoft implements security, resilience, and regulatory compliance at scale—mapping NIS2, DORA, and Secure‑by‑Default principles to concrete controls, engineering processes, and tenant‑level protections
Key takeaway: Learn how regulatory requirements become enforceable controls, measurable metrics, and practical Secure‑by‑Default engineering across cloud systems