The Chrome team is embarking on a clever and bold plan to change the recipe for cookies. It’s one of the most consequential changes to the web platform in almost a decade, but with any luck, users won’t notice anything has changed. But if you’re a web developer, you should start testing your sites andContinue reading “Same-Site Cookies By Default”
Category Archives: security
Aw, snap! What if Every Tab Crashes?
For a small number of users of Chromium-based browsers (including Chrome and the new Microsoft Edge) on Windows 10, after updating to 78.0.3875.0, every new tab crashes immediately when the browser starts. Impacted users can open as many new tabs as they like, but each will instantly crash: As of Chrome 81.0.3992, the page will showContinue reading “Aw, snap! What if Every Tab Crashes?”
Web-to-App Communication: App Protocols
Note: This post is part of a series about Web-to-App Communication techniques. Just over eight years ago, I wrote my last blog post about App Protocols, a class of URL schemes that typically1 open another program on your computer instead of returning data to the web browser. App Protocols2 are both simple and powerful, allowingContinue reading “Web-to-App Communication: App Protocols”
Spying on HTTPS
When I launched Chrome on Thursday, I saw something unexpected: While most users probably would have no idea what to make of this, I happened to know what it means– Chrome is warning me that the system configuration has instructed it to leak the secret keys it uses to encrypt and decrypt HTTPS traffic toContinue reading “Spying on HTTPS”
Updating Browsers Quickly: Flags, Respins, and Components
By this point, most browser enthusiasts know that Chrome has a rapid release cycle, releasing a new stable version of the browser approximately every six weeks (2022 Update: now every four weeks). The Edge team adopted that rapid release cadence for our new browser, and we’re already releasing new Edge Dev Channel builds every week.Continue reading “Updating Browsers Quickly: Flags, Respins, and Components”
Protect Your Accounts with 2FA
You should enable “2-Step Verification” for logins to your Google account. Google Authenticator is an app that runs on your iOS or Android phone and gives out 6 digit codes that must be entered when you log in on a device. This can’t really prevent phishing (because a phishing page will just ask you forContinue reading “Protect Your Accounts with 2FA”
Securely Displaying URLs
One of my final projects on the Chrome team was writing an internal document outlining Best Practices for Secure URL Display. Yesterday, it got checked into the public Chromium repro, so if this is a topic that interests you, please have a look! Additionally, at Enigma 2019, the Chrome team released Trickuri (pronounced “trickery”) a tool forContinue reading “Securely Displaying URLs”
Private Browsing Mode
Note: This blog post was written before the new Chromium-based Microsoft Edge was announced. As a consequence, it mostly discusses the behavior of the Legacy Microsoft Edge browser. The new Chromium-based Edge behaves largely the same way as Google Chrome. InPrivate Mode was introduced in Internet Explorer 8 with the goal of helping users improveContinue reading “Private Browsing Mode”
An Update on the Edge XSS Filter
In Windows 10 RS5 (aka the “October 2018 Update”), the venerable XSS Filter first introduced in 2008 with IE8 was removed from Microsoft Edge. The XSS Filter debuted in a time before Content Security Policy as a part of a basket of new mitigations designed to mitigate the growing exploitation of cross-site scripting attacks, joining older features like HTTPOnlyContinue reading “An Update on the Edge XSS Filter”
CORS and Vary
Yesterday, I started looking a site compatibility bug where a page’s layout is intermittently busted. Popping open the F12 Tools on the failing page, we see that a stylesheet is getting blocked because it lacks a CORS Access-Control-Allow-Origin response header: We see that the client demands the header because the LINK element that references itContinue reading “CORS and Vary”