Yesterday, we covered the mechanisms that modern browsers can use to rapidly update their release channels. Today, let’s look at how to figure out when an eagerly awaited fix will become available in the Canary channels. By way of example, consider crbug.com/977805, a nasty beast that caused some extensions to randomly be disabled and marked corrupt: ByContinue reading “Livin’ on the Edge: Dude Where’s My Fix?!?”
Category Archives: web
Updating Browsers Quickly: Flags, Respins, and Components
By this point, most browser enthusiasts know that Chrome has a rapid release cycle, releasing a new stable version of the browser approximately every six weeks (2022 Update: now every four weeks). The Edge team adopted that rapid release cadence for our new browser, and we’re already releasing new Edge Dev Channel builds every week.Continue reading “Updating Browsers Quickly: Flags, Respins, and Components”
Challenges with Federated Identity in modern browsers
Many websites offer a “Log in” capability where they don’t manage the user’s account; instead, they offer visitors the ability to “Login with <identity provider>.” When the user clicks the Login button on the original relying party (RP) website, they are navigated to a login page at the identity provider (IP) (e.g. login.microsoft.com) and then redirectedContinue reading “Challenges with Federated Identity in modern browsers”
Surprise: Undead Session Cookies
I’ve been working on browsers professionally for 12 of the last 15 years, and in related areas for 20 of the last 20, and over the years I’ve discovered enough surprises in browser behavior that they’re no longer very surprising. Back in April, I wrote up a quick post explaining how easy it is toContinue reading “Surprise: Undead Session Cookies”
Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer
Note: I expect to update this post over time. Last update: April 14, 2023. Compatibility Deltas As our new Edge Insider builds roll out to the public, we’re starting to triage reports of compatibility issues where Edge79+ (the new Chromium-based Edge, aka Anaheim) behaves differently than the old Edge (Edge18, aka Spartan, aka Edge Legacy)Continue reading “Edge79+ vs. Edge18 (Edge Legacy) vs. Chrome vs. Internet Explorer”
Protect Your Accounts with 2FA
You should enable “2-Step Verification” for logins to your Google account. Google Authenticator is an app that runs on your iOS or Android phone and gives out 6 digit codes that must be entered when you log in on a device. This can’t really prevent phishing (because a phishing page will just ask you forContinue reading “Protect Your Accounts with 2FA”
Securely Displaying URLs
One of my final projects on the Chrome team was writing an internal document outlining Best Practices for Secure URL Display. Yesterday, it got checked into the public Chromium repro, so if this is a topic that interests you, please have a look! Additionally, at Enigma 2019, the Chrome team released Trickuri (pronounced “trickery”) a tool forContinue reading “Securely Displaying URLs”
Cookie Controls, Revisited
Update: The October 2018 Cumulative Security Update (KB4462919) brings the RS5 Cookie Control changes described below to Windows 10 RS2, RS3, and RS4. Note: Most of the content about “Edge” in this post describes Edge Legacy– modern Edge is based on Chromium and behaves mostly like Chrome. See more discussion of 3P cookies in 2022’s NewContinue reading “Cookie Controls, Revisited”
CORS and Vary
Yesterday, I started looking a site compatibility bug where a page’s layout is intermittently busted. Popping open the F12 Tools on the failing page, we see that a stylesheet is getting blocked because it lacks a CORS Access-Control-Allow-Origin response header: We see that the client demands the header because the LINK element that references itContinue reading “CORS and Vary”
FiddlerCore and Brotli compression
Recently, a developer asked me how to enable Brotli content-compression support in FiddlerCore applications, so that APIs like oSession.GetResponseBodyAsString() work properly when the entity body has been compressed using brotli. Right now, support requires two steps: Put brotli.exe (installed by Fiddler or off Github) into a Tools subfolder of the folder containing your application’s executable. Ensure that theContinue reading “FiddlerCore and Brotli compression”