Note: This post concerns Edge Legacy (aka Spartan) and does not apply to the modern Chromium-based Edge. In yesterday’s episode, I shared the root cause of a bug that can cause document.cookie to incorrectly return an empty string if the cookie is over 1kb and the cookie grows in the middle of a DOM document.cookieContinue reading “Cookies and Concurrency, Redux”
Category Archives: browsers
ERROR_INSUFFICIENT_BUFFER and Concurrency
Many classic Windows APIs accept a pointer to a byte buffer and a pointer to an integer indicating the size of the buffer. If the buffer is large enough to hold the data returned from the API, the buffer is filled and the API returns S_OK. If the buffer supplied is not large enough toContinue reading “ERROR_INSUFFICIENT_BUFFER and Concurrency”
Edge Interop Issues
As we finish up the next release of Windows 10 (Fall 2018), my team is hard at work triaging incoming bugs. Many such bugs take the form “Edge does the wrong thing for this page. ${Other_Browser} works okay.” This post is designed to be an (ever-growing) index of some of the behavioral deltas that areContinue reading “Edge Interop Issues”
Script-Generated Download Files
As we finish up the next release of Windows 10, my team is hard at work triaging incoming bugs. Here’s a pattern that has come up a few times this month: Bug: I click download in Edge Legacy: …but I end up on an error page: Womp womp. If you watch the network traffic, you’llContinue reading “Script-Generated Download Files”
CORS and Vary
Yesterday, I started looking a site compatibility bug where a page’s layout is intermittently busted. Popping open the F12 Tools on the failing page, we see that a stylesheet is getting blocked because it lacks a CORS Access-Control-Allow-Origin response header: We see that the client demands the header because the LINK element that references itContinue reading “CORS and Vary”
Be skeptical of client-reported MIME Content-Types
Over the 14 years that I’ve been working on browsers and the web platform, I’ve seen a lot of bugs where the client’s configuration causes a problem with a website. By default, Windows maintains File Extension to Content Type and Content Type to File Extension mappings mappings in the registry. You can find the former mappings inContinue reading “Be skeptical of client-reported MIME Content-Types”
Edge EV UI Requires SmartScreen
A user recently noticed that when loading Paypal.com in Microsoft Edge, the UI shown was the default HTTPS UI (a gray lock): Instead of the fancier “green” UI shown for servers that present Extended Validation (EV) certificates: The user observed this on some Windows 10 machines but not others. The variable that differed between those machines wasContinue reading “Edge EV UI Requires SmartScreen”
Back Home
I rejoined Microsoft as a Principal Program Manager for the web networking team on June 4th, 2018. I’m delighted to be back working with lots of old friends from my Internet Explorer days, as well as lots of new folks who’ve joined while I’ve been pursuing other adventures.
Stop Spilling the Beans
I’ve written about Same Origin Policy a bunch over the years, with a blog series mapping it to the Read/Write/Execute mental model. More recently, I wrote about why Content-Type headers matter for same-origin-policy enforcement. I’ve just read a great paper on cross-origin infoleaks and current/future mitigations. If you’re interested in browser security, it’s definitely worth a read.
Building your .APP website with NameCheap and GitHub Pages–A Visual Guide
I recently bought a few new domain names under the brand new .app top-level-domain (TLD). The .app TLD is awesome because it’s on the HSTSPreload list, meaning that browsers will automatically use only HTTPS for every request on every domain under .app, keeping connections secure and improving performance. I’m not doing anything terribly exciting withContinue reading “Building your .APP website with NameCheap and GitHub Pages–A Visual Guide”
text/plain 