Back in the mid-aughts, Adam G., a colleague on the IE team, used the email signature “IE Networking Team – Without us, you’d be browsing your hard drive.” And while I’m sure it was meant to be a bit tongue-in-cheek, it’s really true– without a working network stack, web browsers aren’t nearly as useful. BackgroundContinue reading “Web Proxy Auto Discovery (WPAD)”
Category Archives: privacy
Client Certificate Authentication
While most HTTPS sites only authenticate the server (using a certificate sent by the website), HTTPS also supports a mutual authentication mode, whereby the client supplies a certificate that authenticates the visiting user’s identity. Such a certificate might be stored on a SmartCard, or used as a part of an OS identity feature like WindowsContinue reading “Client Certificate Authentication”
Enigma Conference 2020 – Browser Privacy Panel
Brave, Mozilla Firefox, Google Chrome and Microsoft Edge presented on our current privacy work at the Enigma 2020 conference in late January. The talks were mostly high-level, but there were a few feature-level slides for each browser. My ~10 minute presentation on Microsoft Edge was first, followed by Firefox, Chrome, and Brave. At 40 minutesContinue reading “Enigma Conference 2020 – Browser Privacy Panel”
Thoughts on DNS-over-HTTPS
Updated November 30, 2020 with new information about DoH in Edge, ECH, and HTTPSSVC records, and January 25, 2021 with a few remarks about Edge’s implementation. Type https://example.com in your web browser’s address bar and hit enter. What happens? Before connecting to the example.com server, your browser must convert “example.com” to the network address atContinue reading “Thoughts on DNS-over-HTTPS”
Improving Privacy by Limiting Referrers
Updated July 31, 2020 to reflect changes planned to ship in Chrome 85 and Edge 86. As your browser navigates from page to page, servers are informed of the URL from where you’ve come from using the Referer HTTP header1; the document.referrer DOM property reveals the same information to JavaScript. Similarly, as the browser downloads theContinue reading “Improving Privacy by Limiting Referrers”
Restrictions on File Urls
Last Update: October 1, 2025 For security reasons, Microsoft Edge 76+ and Chrome impose a number of restrictions on file:// URLs, including forbidding navigation to file:// URLs from non-file:// URLs. If a browser user clicks on a file:// link on an https-delivered webpage or PDF, nothing visibly happens. If you open the Developer Tools console on the webpage,Continue reading “Restrictions on File Urls”
Same-Site Cookies By Default
The Chrome team is embarking on a clever and bold plan to change the recipe for cookies. It’s one of the most consequential changes to the web platform in almost a decade, but with any luck, users won’t notice anything has changed. But if you’re a web developer, you should start testing your sites andContinue reading “Same-Site Cookies By Default”
Challenges with Federated Identity in modern browsers
Many websites offer a “Log in” capability where they don’t manage the user’s account; instead, they offer visitors the ability to “Login with <identity provider>.” When the user clicks the Login button on the original relying party (RP) website, they are navigated to a login page at the identity provider (IP) (e.g. login.microsoft.com) and then redirectedContinue reading “Challenges with Federated Identity in modern browsers”
Surprise: Undead Session Cookies
I’ve been working on browsers professionally for 12 of the last 15 years, and in related areas for 20 of the last 20, and over the years I’ve discovered enough surprises in browser behavior that they’re no longer very surprising. Back in April, I wrote up a quick post explaining how easy it is toContinue reading “Surprise: Undead Session Cookies”
Private Browsing Mode
Note: This blog post was originally written before the new Chromium-based Microsoft Edge was announced. As a consequence, it includes discussion of the behavior of the Legacy Microsoft Edge browser. The new Chromium-based Edge behaves largely the same way as Google Chrome. Last Update: 13 June 2025 InPrivate Mode was introduced in Internet Explorer 8Continue reading “Private Browsing Mode”
text/plain 