I’ve been working on browsers professionally for 12 of the last 15 years, and in related areas for 20 of the last 20, and over the years I’ve discovered enough surprises in browser behavior that they’re no longer very surprising. Back in April, I wrote up a quick post explaining how easy it is toContinue reading “Surprise: Undead Session Cookies”
Category Archives: tech
Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer
Note: I expect to update this post over time. Last update: April 14, 2023. Compatibility Deltas As our new Edge Insider builds roll out to the public, we’re starting to triage reports of compatibility issues where Edge79+ (the new Chromium-based Edge, aka Anaheim) behaves differently than the old Edge (Edge18, aka Spartan, aka Edge Legacy)Continue reading “Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer”
Protect Your Accounts with 2FA
You should enable “2-Step Verification” for logins to your Google account. Google Authenticator is an app that runs on your iOS or Android phone and gives out 6 digit codes that must be entered when you log in on a device. This can’t really prevent phishing (because a phishing page will just ask you forContinue reading “Protect Your Accounts with 2FA”
Securely Displaying URLs
One of my final projects on the Chrome team was writing an internal document outlining Best Practices for Secure URL Display. Yesterday, it got checked into the public Chromium repro, so if this is a topic that interests you, please have a look! Additionally, at Enigma 2019, the Chrome team released Trickuri (pronounced “trickery”) a tool forContinue reading “Securely Displaying URLs”
Cookie Controls, Revisited
Update: The October 2018 Cumulative Security Update (KB4462919) brings the RS5 Cookie Control changes described below to Windows 10 RS2, RS3, and RS4. Note: Most of the content about “Edge” in this post describes Edge Legacy– modern Edge is based on Chromium and behaves mostly like Chrome. See more discussion of 3P cookies in 2022’s NewContinue reading “Cookie Controls, Revisited”
CORS and Vary
Yesterday, I started looking a site compatibility bug where a page’s layout is intermittently busted. Popping open the F12 Tools on the failing page, we see that a stylesheet is getting blocked because it lacks a CORS Access-Control-Allow-Origin response header: We see that the client demands the header because the LINK element that references itContinue reading “CORS and Vary”
I Still ❤ The Web
I’ve been working on web security for a long time at this point, and spending most of my time looking at all of the bad stuff happening on the web can get pretty demoralizing. Fortunately, there’s also a lot of amazing stuff on the web that periodically reminds me of what an amazing tool it can be. For instance,Continue reading “I Still ❤ The Web”
FiddlerCore and Brotli compression
Recently, a developer asked me how to enable Brotli content-compression support in FiddlerCore applications, so that APIs like oSession.GetResponseBodyAsString() work properly when the entity body has been compressed using brotli. Right now, support requires two steps: Put brotli.exe (installed by Fiddler or off Github) into a Tools subfolder of the folder containing your application’s executable. Ensure that theContinue reading “FiddlerCore and Brotli compression”
For a Lark
“Happy Holidays” David said as he poked his head into my office, handing me an unwrapped holiday card featuring a kitten in a Santa hat. As I took it, I nearly dropped a small white envelope that slipped out from inside. The inscription in the card read simply “Best wishes, David – 2010.” “Uh, thanks,Continue reading “For a Lark”
Working on Google Chrome – Year One
Four weeks ago, emailed notice of a free massage credit revealed that I’ve been at Google for a year. Time flies when you’re drinking from a firehose. When I mentioned my anniversary, friends and colleagues from other companies asked what I’ve learned while working on Chrome over the last year. This rambling post is anContinue reading “Working on Google Chrome – Year One”
text/plain 