Category Archives: security

Restrictions on File Urls

Last Update: October 1, 2025 For security reasons, Microsoft Edge 76+ and Chrome impose a number of restrictions on file:// URLs, including forbidding navigation to file:// URLs from non-file:// URLs. If a browser user clicks on a file:// link on an https-delivered webpage or PDF, nothing visibly happens. If you open the Developer Tools console on the webpage,Continue reading “Restrictions on File Urls”

Same-Site Cookies By Default

The Chrome team is embarking on a clever and bold plan to change the recipe for cookies. It’s one of the most consequential changes to the web platform in almost a decade, but with any luck, users won’t notice anything has changed. But if you’re a web developer, you should start testing your sites andContinue reading “Same-Site Cookies By Default”

Aw, snap! What if Every Tab Crashes?

Update: I wrote a more comprehensive post about troubleshooting browser crashes. For a small number of users of Chromium-based browsers (including Chrome and the new Microsoft Edge) on Windows 10, after updating to 78.0.3875.0, every new tab crashes immediately when the browser starts. Impacted users can open as many new tabs as they like, butContinue reading “Aw, snap! What if Every Tab Crashes?”

Web-to-App Communication: App Protocols

Note: This post is part of a series about Web-to-App Communication techniques.Last updated: June 4, 2025 Just over eight years ago, I wrote my last blog post about App Protocols, a class of URI schemes that typically1 open another program on your computer instead of returning data to the web browser. A valid scheme name isContinue reading “Web-to-App Communication: App Protocols”

Updating Browsers Quickly: Flags, Respins, and Components

By this point, most browser enthusiasts know that Chrome has a rapid release cycle, releasing a new stable version of the browser approximately every six 4 weeks (2022 Update: now every four weeks). The Edge team adopted that rapid release cadence for our new browser, and we’re already releasing new Edge Dev Channel builds everyContinue reading “Updating Browsers Quickly: Flags, Respins, and Components”

Protect Your Accounts with 2FA

You should enable “2-Step Verification” for logins to your Google account. Google Authenticator is an app that runs on your iOS or Android phone and gives out 6 digit codes that must be entered when you log in on a device. This can’t really prevent phishing (because a phishing page will just ask you forContinue reading “Protect Your Accounts with 2FA”

Securely Displaying URLs

One of my final projects on the Chrome team was writing an internal document outlining Best Practices for Secure URL Display. Yesterday, it got checked into the public Chromium repro, so if this is a topic that interests you, please have a look! Additionally, at Enigma 2019, the Chrome team released Trickuri (pronounced “trickery”) a tool forContinue reading “Securely Displaying URLs”

Private Browsing Mode

Note: This blog post was originally written before the new Chromium-based Microsoft Edge was announced. As a consequence, it includes discussion of the behavior of the Legacy Microsoft Edge browser. The new Chromium-based Edge behaves largely the same way as Google Chrome. Last Update: 13 June 2025 InPrivate Mode was introduced in Internet Explorer 8Continue reading “Private Browsing Mode”

An Update on the Edge XSS Filter

In Windows 10 RS5 (aka the “October 2018 Update”), the venerable XSS Filter first introduced in 2008 with IE8 was removed from Microsoft Edge. The XSS Filter debuted in a time before Content Security Policy as a part of a basket of new mitigations designed to mitigate the growing exploitation of cross-site scripting attacks, joining older features like HTTPOnlyContinue reading “An Update on the Edge XSS Filter”