Browse All Posts

This page lists only 100 posts at a time. Click the “Load more posts” button at the bottom of the page to load more.

Defense Techniques: Reporting Phish

While I have a day job, I’ve been moonlighting as a crimefighting superhero for almost twenty years. No, I’m not a billionaire who dons a rubber bat suit to beat up bad guys– I’m instead flagging phishing websites that try…

SlickRun

While I’m best known for creating Fiddler two decades ago, eight years before Fiddler’s debut I started work on what became SlickRun. SlickRun is a floating command line that provides nearly instant access to almost any app or website. Originally…

2022 EOY Fitness Summary

I spent dramatically more time on physical fitness in 2022 than I have at any other point in my life, in preparation for my planned adventure this June. My 2022 statistics from iFit on my incline trainer/treadmill show that I…

Attack Techniques: Priming Attacks on Legitimate Sites

Earlier today, we looked at two techniques for attackers to evade anti-phishing filters by using lures that are not served from http and https urls that are subject to reputation analysis. A third attack technique is to send a lure…

Attack Techniques: Phishing via Mailto

Earlier today, we looked at a technique where a phisher serves his attack from the user’s own computer so that anti-phishing code like SmartScreen and SafeBrowsing do not have a meaningful URL to block. A similar technique is to encode…

Attack Techniques: Phishing via Local Files

One attack technique I’ve seen in use recently involves enticing the victim to enter their password into a locally-downloaded HTML file. The attack begins by the victim receiving an email with a HTML file attachment (for me, often with the…

ProjectK.commit()

Cruising solo across the Gulf of Mexico last Christmas, I had a lot of time to think. Traveling alone, I could do whatever I wanted, whenever I wanted. And this led me to realize that, while I was about to…

Missed Half

After last month’s races, I decided that I could reduce some of my stress around my first half marathon (Austin 3M at the end of January) by running a slow marathon ahead of time — a Race 0 if you…

TLS Certificate Verification Changes in Edge

When establishing a secure HTTPS connection with a server, a browser must validate that the certificate sent by the server is valid — that is to say, that: In the past, Chromium running on Windows delegated this validation task to…

Mark-of-the-Web: Additional Guidance

I’ve been writing about the Mark-of-the-Web (MotW) security primitive in Windows for decades now, with 2016’s Downloads and MoTW being one of my longer posts that I’ve updated intermittently over the last few years. If you haven’t read that post…

Q4 Races

I finished the first section of Tommy Rivers’ half-marathon training series (in Bolivia) and have moved on to the second section (Japan). I ran two Austin races in November, notching some real-world running experience in preparation for the 3M Half…

Driving Electric

While my 2013 CX-5 is reasonably fuel-efficient (~28mpg in real world driving), this summer I watched in dismay as gas prices spiked. Even when my tank was almost full, watching prices tick up every time I drove past a gas…

Thoughts on Twitter

When some of the hipper PMs on the Internet Explorer team started using a new “microblogging” service called Twitter in the spring of 2007, I just didn’t “get it.” Twitter mostly seemed to be a way to broadcast what you’d…

“Not Secure” Warning for IE Mode

A customer recently wrote to ask whether there was any way to suppress the red “/!\ Not Secure” warning shown in the omnibox when IE Mode loads a HTTPS site containing non-secure images: Notably, this warning isn’t seen when the…

Microsoft Employee’s Guide to Maximizing Donations

Perhaps the most impactful perk for employees of Microsoft is that the company will match charitable donations up to a pretty high annual limit ($15K/year), and will also match volunteering time with a donation at a solid hourly rate up…

Q: Why do tabs sometimes show an orange dot?

Sometimes, you’ll notice that a background tab has an orange dot on it in Edge (or a blue dot in Chrome). If you click on the tab, the dot disappears. Why?The dot indicates that the tab wants “attention” — more…

Capturing Logs for Debugging SmartScreen

The Microsoft Edge browser makes use of a service called Microsoft Defender SmartScreen to help protect users from phishing websites and malicious downloads. The SmartScreen service integrates with a Microsoft threat intelligence service running in the cloud to quickly block…

Cruising Alaska (Alaskan Brews Cruise)

I lived in the Seattle area for nearly 12 years, and one of my regrets is that I never took advantage of any of the Alaskan cruises that conveniently leave from Pier 91 a few miles out of downtown. Getting…

HTTPS Goofs: Forgetting the Bare Domain

As I mentioned, the top failure of HTTPS is failing to use it, and that’s particularly common in in-bound links sent via email, in newsletters, and the like. Unfortunately, there’s another common case, whereby the user simply types your bare…

Best Practice: Post-Mortems

I’ve written a bit about working at Google in the past. Google does a lot of things right, and other companies would benefit by following their example. At Google, one of the technical practices that I thought was both essential…

Badware Techniques: Notification Spam

I tried visiting an old colleague’s long-expired blog today, just to see what would happen. I got redirected here: Wat? What is this even talking about? There’s no “Allow” link or button anywhere. The clue is that tiny bell with…

Edge’s Super-Res Image Enhancement

One interesting feature that the Edge team is experimenting with this summer is called “SuperRes” or “Enhance Images.” This feature allows Microsoft Edge to use a Microsoft-built AI/ML service to enhance the quality of images shown within the browser. You…

QuickFix: Trivial Chrome Extensions

Almost a decade before I released the first version of Fiddler, I started work on my first app that survives to this day, SlickRun. SlickRun is a floating command line that can launch any app on your PC, as well…

Passkeys – Syncable WebAuthN credentials

Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security…

Understanding Browser Channels

Microsoft Edge (and upstream Chrome) is available in four different Channels: Stable, Beta, Dev, and Canary. The vast majority of Edge users run on the Stable Channel, but the three pre-Stable channels can be downloaded easily from microsoftedgeinsider.com. You can…

Certificate Revocation in Microsoft Edge

When you visit a HTTPS site, the server must present a certificate, signed by a trusted third-party (a Certificate Authority, aka CA), vouching for the identity of the bearer. The certificate contains an expiration date, and is considered valid until…

New Recipes for 3rd Party Cookies

For privacy reasons, the web platform is moving away from supporting 3rd-party cookies, first with lockdowns, and eventually with removal of support in late 2023 the second half of 2024. Background: What Does “3rd-Party” Mean? A 3rd-party cookie is one…

My Next Opportunity

This is the farewell email I sent to my Edge teammates yesterday. IWebBrowser3::BeforeNavigate() When I left the Internet Explorer team in 2012 to work on Fiddler full-time, I did so with a measure of heartbreak, absolutely certain that I would…

Edge URL Schemes

The microsoft-edge: Application Protocol Microsoft Edge implements an Application Protocol with the scheme microsoft-edge: that is designed to launch Microsoft Edge and pass along a web-schemed URL and/or additional arguments. A basic invocation might be as simple as: microsoft-edge:http://example.com/ However,…

End of Q2 Check-in

Back in January, I wrote about my New Years’ Resolutions. I’m now 177 days in, and things are continuing to go well. Health and Finance: A dry January. Exceeded. I went from 2 or 3 drinks a night six times a week…

Captive Portals

When you join a public WiFi network, sometimes you’ll notice that you have to accept “Terms of Use” or provide a password or payment to use the network. Your browser opens or navigates to a page that shows the network’s…

Extending Fiddler’s ImageView

Fiddler’s ImageView Inspector offers a lot of powerful functionality for inspecting images and discovering ways to shrink an image’s byte-weight without impacting its quality. Less well-known is the fact that the ImageView Inspector is very extensible, such that you can…

“Batteries-Included” vs “Bloated”

Fundamentals are invisible. Features are controversial. One of the few common complaints against Microsoft Edge is that “It’s bloated– there’s too much stuff in it!” A big philosophical question for designers of popular software concerns whether the product should include…

Chromium Startup

This morning, a Microsoft Edge customer contacted support to ask how they could launch a URL in a browser window at a particular size. I responded that they could simply use the –window-size=”800,600″ command line argument. The customer quickly complained…

Microsoft Edge Tips and Tricks

Last Updated: June 3, 2022. The intent of this post is to capture a list of non-obvious features of the browser that might be useful to you. Q: How do I find the tab playing audio? It’s cool that Microsoft…

Losing your cookies

“My browser lost its cookies” has long been one of the most longstanding Support complaints in the history of browsers. Unfortunately, the reason that it has been such a longstanding issue is that it’s not the result of a single…

Thoughts on Impact

In this post, I talk a lot about Microsoft, but it’s not only applicable to Microsoft. It’s once again “Connect Season” at Microsoft, a biannual-ish period when Microsoft employees are tasked with filling out a document about their core priorities,…

Unexpectedly HTTPS?

While I’m a firm believer that every site should be using HTTPS, sadly, not every site is yet doing so. Looking at Chrome data, today around 92% of navigations are HTTPS: …and the pages loaded account for around 95% of…

Chromium Internals: PAK Files

Web browsers are made up of much more than the native code (mostly compiled C++) that makes up their .exe and .dll files. A significant portion of the browser’s functionality (and bulk) is what we’d call “resources”, which include things…

Real-World Running

Yesterday, I ran my first 10K in “the real world”, my first real world run in a long time. Almost eleven years ago I ran a 5K, and 3.5 years ago I ran a non-competitive 5 miler on Thanksgiving. I…

End of Q1 Check-in

tl;dr: On track. Back in January, I wrote about my New Years’ Resolutions. I’m now 90 days in, and things are continuing to go well. Health and Finance: A dry January. Exceeded. I stopped drinking alcohol on any sort of regular basis;…

Chromium’s DNS Cache

From the mailbag: Q: How long does Chromium cache hostnames? I know a user can clear the hostname cache using the Clear host cache button on about://net-internals/#dns, but how long it will take for the cache to be removed if…

The “Magical” Back Button

From the mailbag: Eric, when I am on bing.com in Edge or Chrome and I type https://portal.microsoft.com in the address bar, I go through some authentication redirections and end up on the Office website. If I then click the browser’s…

Edge/Chrome Policy Registry Entries

One of the more common problems reported by Enterprises is that certain Edge/Chrome policies do not seem to work properly when the values are written to the registry. For instance, when using the about:policy page to examine the browser’s view…

Smarter Defaults by Paying Attention

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions of varying levels of importance: should a particular API be available? Should a resource load be permitted? Should script be allowed to…

Mid-February Checkin

tl;dr: On track. Back in January, I wrote about my New Years’ Resolutions. I’m now 45 days in, and things are going pretty well. Health and Finance: A dry January. Dry January has turned into dry February. Beyond idle thoughts…

MHTML in Chromium

The MHTML file format (aka “Webpage, single file”) allows a single file to contain the multiple resources that are used to load a webpage (script, css, images, etc). Edge (Chromium) has an option to use the format when saving the…

Adding Protocol Schemes to Chromium

Previously, I’ve written a lot about Application Protocols, which are a simple and popular common mechanism for browsers to send a short string of data out to an external application for handling. For instance, mailto is a common example of…

Debugging Compatibility in Edge

Background By moving from our old codebase to Chromium, the Microsoft Edge team significantly modernized our codebase and improved our compatibility with websites. As we now share the vast majority of our web platform code with the market-leading browser, it’s…

Recognizing Edge Windows

Yesterday, we had a customer reach out to us for help on an issue they’d encountered while writing code to interact with Microsoft Edge windows. Their script enumerated every window in the system, looking for those with Microsoft Edge in…

Trim Your Whitespace

Leading and trailing whitespace are generally invisible. Humans are bad at dealing with things they can’t see. If your system accepts textual codes, or any other human-generated or human-mediated input, you should trim whitespace, whether it’s leading, trailing, or inline…

Debug Native Messaging

Prelude Last month, an Enterprise customer reached out to report that a 3rd-party browser extension they use wasn’t working properly. Investigation of the extension revealed that the browser extension relied upon a NativeMessaging Host (NMH) companion that runs outside of…

Lock down web browsing using Kiosk Mode

Browsers get used in many different environments. Today, I take a look at scenarios where there’s either no interactive user (digital signage) or a potentially malicious user (internet kiosks). Digital Signage (fullscreen) Requirements In the Digital Signage scenario, there’s a…

getaddrinfo(2022)

New Years’ Resolutions aren’t really my jam. Over the years, I usually idly ponder some vague notion (usually “get in better shape”) in late December, and mostly forget about it by the second week of January or so. This year,…

Edge Command Line Arguments

Microsoft Edge offers broad variety of configuration options via Group Policy (for Enterprises), the edge://settings page, the edge://flags page (mostly experimental options), and finally via command-line arguments that are passed to the msedge.exe executable. This list of sources is roughly…

Cruising Solo

For Christmas 2020, I was home alone. The highlight of my day was discovering that Jack in the Box was open. I enjoyed my Christmas cheeseburger dinner at a picnic table in a park down the street. Unexpectedly, my Christmas…

Microsoft Edge’s Many Processes

Chromium-based browsers like Microsoft Edge use a multi-process architecture for reliability and security reasons. tl;dr For reliability, Process isolation means that if one process crashes, the entire browser need not go down. For example, if a page on leaky.com has…

View-Source

Chromium offers two ways for an end-user to view the source code of a web page: 1) the Developer Tools, and 2) The longstanding view-source viewer. Of these, the Developer Tools have received almost all of the attention over the…

Spooky: Enhancing Dark Mode in Chromium

I am not really a fan of Dark Mode — I like my screens bright and shiny. But it’s October, and it’s sometimes fun to make things dark and spooky. Some users of my Show Browser Version extension wanted it…

MoarTLS: Non-Secure Download Blocking

With little fanfare, an important security change has arrived on the web. Now, all major browsers (except Safari) block non-secure downloads from a secure page. Browser VersionBehaviorEdge 94+Block with right-click “Keep” buttonChrome 94Block SilentlyFirefox 93Block with “Allow download” buttonBrave 1.30.89Block…

Accessibility (UIA) Troubleshooting

Chromium-based browsers offer a number of accessibility-related features. When you visit about:accessibility, you can see more about the state of these features (similarly, you can find the states in about:histograms/Accessibility.ModeFlag). You can enable features via the Accessibility page, or pass…

Practical Time Machines

Many “emergency” situations in our modern world would’ve been easy to fix had they been foreseen in advance. If only we’d known what was going to happen, the badness could’ve easily been prevented. Unfortunately, when problems are discovered only “as…

Determining OS Platform Version

In general, you should not care what Operating System visitors are using to visit your website. If you attempt to be clever, you will often get it wrong and cause problems that are an annoyance for users and a hassle…

Inspecting Certificates in Edge

Curious about how to see a website’s HTTPS certificate in Microsoft Edge? You’ve got two options: A companion post to 2017’s post Inspecting Certificates in Chrome.

Leaky Abstractions

In the late 1990s, the Windows Shell and Internet Explorer teams introduced a bunch of brilliant and intricate designs that allowed extension of the shell and the browser to handle scenarios beyond what those built by Microsoft itself. For instance,…

Offline NetLog Viewing

A while back, I explained how you can use Telerik Fiddler or the Catapult NetLog Viewer to analyze a network log captured from Microsoft Edge, Google Chrome, or another Chromium or Electron-based application. While Fiddler is a native app that…

Download Blocking by File Type

Last Updated: 19 December 2022 I’ve previously gushed about the magic of the File Type Policies component — a mechanism that allows files to be classified by their level of “dangerousness”, such that harmless files (e.g. .txt files) can be…

Per-Site Permissions in Edge

Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a…

Specifying Per-Site Policy with Chromium’s URL Filter Format

Chromium-based browsers like Microsoft Edge make very limited use of Windows Security Zones. Instead, most permissions and features that offer administrators per-site configuration via policy rely on lists of rules in the URL Filter Format. Filters are expressed in a…

Web Proxy Authentication

Last year, I wrote about how the new Microsoft Edge’s adoption of the Chromium stack changed proxy determination away from the Windows Service (WinHTTP Proxy Service) to similar but not identical code in Chromium. This change mostly goes unnoticed, but…

window.close() Restrictions

Sometimes, Web Developers are surprised to find that the window.close() API doesn’t always close the browser window. When looking at the Developer Tools console, they’ll see a message like: Scripts may close only the windows that were opened by them.…

Sandboxing vs. Elevated Browsing (As Administrator)

The Web Browser is the most security-critical application on most users’ systems– it accepts untrusted input from servers anywhere in the world, parses that input using dozens to hundreds of parsers, and renders the result locally as fast as it…

Objectively, the best cat

On March 15, 2009 we put my cat Jill (Jillian, Jilly, Jilly Bean, Jillkin) to sleep at an emergency vet. We didn’t know for sure why her kidneys failed, but it was sudden and unexpected. At times Jill could be grumpy…

Simply Making Simple Fixes Simple for Chromium

Google recently introduced a cool web-based editing tool for Chromium source code, a very stripped down version of the Willy Wonka tooling Googlers get to use for non-Chromium projects. I’ve used this tool to submit two trivial change lists (CLs,…

Client Certificates and Logout

Last Updated May 16, 2022 Back in May 2020, I wrote about Client Certificate Authentication, a mechanism that allows websites to strongly validate the identity of their visitors using certificates presented by the visitor’s browser. One significant limitation for client…

Web “Sessions” in Private Mode

I’ve written about Private Browsing Mode a lot previously, and I’ve written a bit about the behavior of “Session restore” previously, but one topic I haven’t covered is how “Sessions” work while in Private mode. Session Sharing Historically, one of…

Images Keeping You Awake?

A Microsoft Edge user recently complained that her screensaver was no longer activating after the expected delay, and she thought that this might be related to her browser. It was, in a way. To troubleshoot issues where your PC’s screensaver…

Debugging Browsers – Tools and Techniques

Last update: March 29, 2021 Earlier this year, I shared a post on how you can become an expert on web browsers from the comfort of your desk… or anywhere else you have an internet connection. In that post, I…

Local Data Encryption in Chromium

Back in February, I wrote about browser password managers and mentioned that it’s important to understand the threat model when deciding how to implement features and their security protections. Generally speaking, “keeping secrets from yourself” is a fool’s errand, so…

Web Debugging: Watching Element Changes

Recently, I was debugging a regression where I wanted to watch change’s in an element’s property at runtime. Specifically, I wanted to watch the URL change when I select different colors in Tesla’s customizer. By using the Inspect Element tool,…

Browser Memory Limits

Last Update: September 8, 2022 Web browsers are notorious for being memory hogs, but this can be a bit misleading– in most cases, the memory used by the loaded pages accounts for the majority of memory consumption. Unfortunately, some pages…

Web-to-App Communication: The Native Messaging API

Note: This post is part of a series about Web-to-App Communication techniques. One of the most powerful mechanisms for Web-to-App and App-To-Web communication is to use an extension that utilizes the NativeMessaging API. The NativeMessaging API allows an extension running inside…

Font Smoothing in Edge

Update, June 2021: See the Microsoft Edge blog post.Text rendering quality is an amazingly complicated topic, with hardware, settings, fonts, differing rendering engine philosophies, and user preferences all playing key roles. In some cases, however, almost everyone can agree that…

Managing Edge via Policy

The new Microsoft Edge offers a rich set of policies that enable IT administrators to control many aspects of its operation. You can visit edge://policy/ to see the policies in effect in your current browser: Clicking on a policy name…

Seamless Single Sign-On

There are many different authentication primitives built into browsers. The most common include Web Forms authentication, HTTP authentication, client certificate authentication, and the new WebAuthN standard. Numerous different authentication frameworks build atop these, and many enterprise websites support more than…

Beating Private Mode Blockers with an Ephemeral Profile

Back in 2018, I explained how some websites use various tricks to detect that visitors are using Private Mode browsers and force such users to log-in. The most common reason that such sites do this is that they’ve implemented a…

Revealing Passwords

The Microsoft Edge browser, Edge Legacy, and Internet Explorer all offer a convenient mechanism for users to unmask their typing as they edit a password field: Clicking the little eye icon disables the masking dots so that users can see…

Web Proxy Auto Discovery (WPAD)

Back in the mid-aughts, Adam G., a colleague on the IE team, used the email signature “IE Networking Team – Without us, you’d be browsing your hard drive.” And while I’m sure it was meant to be a bit tongue-in-cheek,…

Same Origin Policy & CORS

I wrote some blog posts back in my IEBlog days and they keep getting lost. So I’m linking them here. I’ll probably add some more new content here in the future. Explaining Same-Origin-Policy Part 0: OriginsPart 1: No PeekingPart 2:…

Avoiding Unexpected Navigation

For over twenty years, browsers broadly supported two features that were often convenient but sometimes accidentally invoked, leading to data loss. The first feature was that hitting backspace would send the user back one page in their navigation history. (Dec…

Browser Basics: User Gestures

The Web Platform offers a great deal of power, and unfortunately evil websites go to great lengths to abuse it. One of the weakest (but simplest to implement) protections against such abuse is to block actions that were not preceded…

A bit of GREASE keeps the web moving

For the first few years of the web, developers pretty much coded whatever they thought was cool and shipped it. Specifications, if written at all, were an afterthought. Then, for the next two decades, spec authors drafted increasingly elaborate specifications…

META CHARSET

Someone complained that a Japanese page is garbled in Edge/Chrome, but renders with the correct characters in Firefox and IE: The problem is that Chromium is using an unexpected character set to interpret the response in the HTML Parser. That…

Client Certificate Authentication

While most HTTPS sites only authenticate the server (using a certificate sent by the website), HTTPS also supports a mutual authentication mode, whereby the client supplies a certificate that authenticates the visiting user’s identity. Such a certificate might be stored…

Analyzing Network Traffic Logs (NetLog json)

Previously, I’ve described how to capture a network traffic log from Microsoft Edge, Google Chrome, and applications based on Chromium or Electron. In this post, I aim to catalog some guidance for looking at these logs to help find the…

Debugging Proxy Configuration Scripts in the new Edge

I’ve written about Browser Proxy Configuration a few times over the years, and I’m delighted that Chromium has accurate & up-to-date documentation for its proxy support. One thing I’d like to call out is that Microsoft Edge’s new Chromium foundation…

Celebrating Fifteen Years

While lately I’ve been endlessly streaming the latest news with horrified fascination, this morning my calendar unexpectedly popped up a reminder set over a year ago… Today is the fifteenth anniversary of my big-league blogging debut on the Internet Explorer…

Enigma Conference 2020 – Browser Privacy Panel

Brave, Mozilla Firefox, Google Chrome and Microsoft Edge presented on our current privacy work at the Enigma 2020 conference in late January. The talks were mostly high-level, but there were a few feature-level slides for each browser. My ~10 minute…

Loading…

Something went wrong. Please refresh the page and/or try again.

%d bloggers like this: