Bypassing AppProtocol Prompts

Starting in Microsoft Edge 77 (and Chrome 77), the prompt shown when launching an AppProtocol from the browser was changed to remove the “Always allow” checkbox. That change was made, in large part, because this prompt is the only thing standing between every arbitrary site on the Internet (loaded inside your browser’s sandbox) and aContinue reading “Bypassing AppProtocol Prompts”

Browser Password Managers: Threat Models

All major browsers have a built-in password manager. So we should use them, right? I Do I use my browser’s password manager because it’s convenient: with sync, I get all of my passwords on all of my devices. This convenience means that I can use a different password for every website, improving my security. ThisContinue reading “Browser Password Managers: Threat Models”

Demystifying Browsers

Last update: Sept 24, 2020 I started building browser extensions more than 22 years ago, and I started building browsers directly just over 16 years ago. At this point, I think it’s fair to say that I’m entering the grizzled veteran phase of my career. With the Edge team continuing to grow with bright youngContinue reading “Demystifying Browsers”

App-to-Web Communication: Launching Web Apps

In recent posts, I’ve explored mechanisms to communicate from web content to local (native) apps, and I explained how web apps can use the HTML5 registerProtocolHandler API to allow launching them from either local apps or other websites. In today’s post, we’ll explore how local apps can launch web apps in the browser. It’s Simple…Continue reading “App-to-Web Communication: Launching Web Apps”

Microsoft’s Three Browsers

It’s an interesting time. Microsoft now maintains three different web browsers: Internet Explorer 11 Microsoft Edge Legacy (Spartan, v18 and below) Chromium-based Microsoft Edge (v79+) If you’re using Internet Explorer 11, you should stop; sometimes, this is easier said than done. If you’re using Legacy Microsoft Edge, you should upgrade to the new Microsoft EdgeContinue reading “Microsoft’s Three Browsers”

Security Zones in Edge

Browsers As Decision Makers As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sentContinue reading “Security Zones in Edge”

Retiring Internet Explorer

Prelude In late 2004, I was the Program Manager for Microsoft’s clipart website, delivering a million pieces of clipart to Microsoft Office customers every day. It was great fun. But there was a problem– our “Clip of the Day” feature, meant to spotlight a new and topical piece of clipart every day, wasn’t changing asContinue reading “Retiring Internet Explorer”

Capture Network Logs (NetLog) from Edge and Chrome (and Electron)

Problems in accessing websites can often be found and fixed if the network traffic between the browser and the website is captured as the problem occurs. This short post explains how to capture such logs. Capturing Network Traffic Logs If someone asked you to read this post, chances are good that you were asked toContinue reading “Capture Network Logs (NetLog) from Edge and Chrome (and Electron)”

The Pitfalls of EventSource over HTTP/1.1

While there are many different ways for servers to stream data to clients, the Server-sent Events / EventSource Interface is one of the simplest. Your code simply creates an EventSource and then subscribes to its onmessage callback: Implementing the server side is almost as simple: your handler just prefaces each piece of data it wantsContinue reading “The Pitfalls of EventSource over HTTP/1.1”