Category Archives: browsers

ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox

Recently, many Microsoft employees taking training courses have reported problems accessing documents linked to in those courses in Chrome and Edge. In Edge, the screen looks like this: But the problem isn’t limited to Microsoft’s internal training platform, and can be easily reproduced in Chrome: What’s going on? There are a number of root causesContinue reading “ERR_BLOCKED_BY_CLIENT and HTML5 Sandbox”

Browser Security Bugs that Aren’t: JavaScript in PDF

A fairly common security bug report is of the form: “I can put JavaScript inside a PDF file and it runs!” For example, open this PDF file with Chrome, and you can see the alert(1) message displayed: Support for JavaScript within PDFs is by-design and expected by the developers of PDF rendering software, including commonContinue reading “Browser Security Bugs that Aren’t: JavaScript in PDF”

Attacker Techniques: Gesture Jacking

A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in that post, gestures are a weak primitive — while checking whether the user clicked orContinue reading “Attacker Techniques: Gesture Jacking”

pushState and URL Blocking

The Web Platform offers a handy API called pushState that allows a website’s JavaScript to change the URL displayed in the address bar to another URL within the same origin without sending a network request and loading a new page. The pushState API is handy because it means that a Web Application can change theContinue reading “pushState and URL Blocking”

Browser Extensions: Powerful and Potentially Dangerous

Regular readers of my blogs know that I love browser extensions. Extensions can make using your browser more convenient, fun, and secure. Unfortunately, extensions can also break web apps in bizarre or amusing ways, dramatically slow your browser performance, leak your personal data, or compromise your device. The designers of the Chromium extension system createdContinue reading “Browser Extensions: Powerful and Potentially Dangerous”

Troubleshooting Edge (or Chrome) Broken UI

Last time, we looked at how to troubleshoot browser crashes. However, not all browser problems result in the tab or browser crashing entirely. In some cases, the problem is that some part of the browser UI doesn’t render correctly. This most commonly occurs with parts of the UI that are written in HTML and JavaScript. InContinue reading “Troubleshooting Edge (or Chrome) Broken UI”

Troubleshooting Edge (or Chrome) Browser Crashes

In the modern browser world, there are two types of crashes: browser crashes and renderer crashes. In a browser crash, the entire browser window with all of its tabs simply vanishes, either on startup, or at some point afterward. The next time the browser starts, it should recognize that the last time it exited wasContinue reading “Troubleshooting Edge (or Chrome) Browser Crashes”

Protecting Auth Tokens

Authenticating to websites in browsers is complicated. There are numerous different approaches: Each of these authentication mechanisms has different user-experience effects and security properties. Sometimes, multiple systems are used at once, with, for example, a Web Forms login being bolstered by multifactor authentication. In most cases, however, Authentication mechanisms are only used to verify theContinue reading “Protecting Auth Tokens”