Organizational Awareness

I’ve found myself a bit stalled in writing my memoir, so I’m going to post a few stories here in the hopes of breaking free of writer’s block…

The use of first names and email aliases at Microsoft could easily lead to confusion for new employees. A few weeks into my first summer (1999) at Microsoft, the interns received an email from a Steven Sinofsky, announcing that there would be a party later that month “at Jillians.” The email was a bit short on details beyond the date and time, and I wanted to make a good impression. I’d hate to show up at some big shot’s fancy house in jeans and a T-shirt only to discover that corporate parties are always formal affairs. So I emailed Steven and asked “will the party at Jillian’s house require formal wear?”

A few minutes later, while musing that it was nicely progressive for Microsoft to have some executive named “Jillian” who had a male secretary/assistant named “Steven,” it occurred to me that I didn’t know who Jillian was or what she products she owned. Fortunately, at Microsoft, the Outlook Address Book (aka the GAL, Global Address List) contains both full names and titles, so I quickly looked up Steven to see who he worked for.

My heart leapt into my throat when I saw Steven’s title. It wasn’t “Administrative Aide,” “Executive Assistant,” or anything else I might have guessed. “Vice President” it said simply. With mounting alarm, I turned around to ask my office-mate: “Um, who’s Jillian?” He looked confused. “You know, the intern party’s at her place?” I clarified.

I watched as comprehension and then amusement dawned. “Oh, Jillian’s is a sports bar and billiards parlor downtown” he replied. Seeing the horror on my face, he continued “Why do you ask?”

I swiveled back to my computer and went to Outlook’s Sent Items folder to confirm that I had indeed made a huge fool of myself. I began frantically hunting through Outlook’s menus… surely there was some way to fix this. The command “Recall this message” leapt off the screen and for the first time in minutes my pulse began to slow. I invoked the command and gave a silent thanks to whomever had invented such a useful feature.

It was weeks before I learned that the way “Recall this message” works tends to increase the likelihood that someone will read your message. Instead of simply deleting the message, it instead sends the recipient a message indicating that you would like to recall your prior message, and requests their permission to delete the original. Most recipients, I expect, then immediately go read the original to see why you deemed a recall necessary. Fortunately for my fragile ego, either Steven didn’t do that, or he took pity on me and simply didn’t reply.

After this experience, I strived to never reply to an email from someone I didn’t know without first consulting the GAL.

Postscript

It was around 8am on a Saturday morning in the winter of 2010 and I’d just woken up. I got an email directly from Steven asking a deeply technical question (restrictions on Unicode endianness when parsing a Mark-of-the-Web in HTML) about some code he was writing. I was seriously impressed, both in that he was clearly writing code, but also that he’d somehow known exactly the most suitable person to send his question to, far down the organizational ladder. I confirmed the limitation and mentioned how inspirational I found it to be working in an organization where my Vice President wasn’t afraid to get his hands dirty.

The afternoon, I was reminiscing about that incident and my first-ever mail to Steven… then I got a sinking feeling. Popping open the GAL, I confirmed my belated recollection that he’d been promoted to President the year before. He never corrected me.

Microsoft Edge Bugs and Omissions

I tweet about the new Microsoft Edge browser quite a lot. I wanted to have a blog post to collect some of the feedback I’ve provided so I have it in one place and can update as needed.

Note: This post mostly focuses on the bad parts of Edge; there are plenty of good parts, including much improved standards support and a safer default security posture.

Last Update: November 2015 Update Most of the trivial issues are fixed; the bigger problems are mostly unfixed

Bugs

1. The “Should I trust this site” link in the HTTPS trust badge goes to page that doesn’t even attempt to answer that question. Update: Sorta fixed.

2. The hover “tooltip” on that site doesn’t do escaping of & properly and also has a text-truncation bug:

Update: Fixed.

3. The RichText tests at www.browserscope.org hang the browser.

4. When Windows UAC is set to “Don’t dim my desktop”, launching a download (e.g. setup.exe) that requires elevation causes the consent window to appear behind the Edge window, effectively causing a denial-of-service condition that hangs the tab.

5. No, not that star, the other one!

6. Remember focus rectangles that show which button is active? Yeah, I miss those.

7. Adding a folder silently fails if the name chosen contains any “special filesystem characters” like ?, :, *, etc.

8. HTML5 Drag/Drop — You can’t drag/drop files into the browser (e.g. on OneDrive.com). Update: Fixed.

9. Microsoft Edge fixed the longstanding (and amusing, due to its root cause) bug whereby it exported HTTP Archive (HAR) files as XML instead of JSON. Unfortunately, the new JSON exporter omits the required encoding=”base64″ attribute when including binary bodies. Also unfortunate, F12 doesn’t write the creator version field in the JSON; a proper version number here would allow tools like Fiddler to better accommodate the buggy output.

10. CSS Animations that have been offloaded to the GPU (“independent animations”) cannot be stopped. The only workaround is to prevent them from being independently animated.

Omitted

1. Windows 7 Support – After strongly hinting that IE11’s successor would run on Windows 7, the team changed course and said that Edge wouldn’t appear on Windows 7 at release but they’d promise to “watch customer demand” for a Windows 7 version. From both mind-share and market-share perspectives, I think this is a very risky move.

2. Extensions – Edge was expected to contain a new Chrome-like extension model, but this slipped from the original release. There’s currently no ETA for its arrival. Update: Delayed to 2016.

3. Tracking Protection Lists – A Tweet from an IE engineer implies that these will not be coming back to Edge and the future extension model is expected to serve as a replacement. This is unfortunate, as a good TPL dramatically improves the speed at which pages load and significantly reduces the number of pages that can cause the browser to hang or crash.

4. AddSearchProvider – Edge makes it quite cumbersome to add search providers, having removed the AddSearchProvider API supported by IE7-IE11, Chrome and Firefox.

5. Click-to-Play – There’s no way to configure the built-in Flash object to operate in a “click-to-play” manner.

6. Report Phishing – The old “SmartScreen > Report this Site” experience has been removed and replaced with a “Feedback and Reporting” widget that accepts all sorts of feedback about both the browser and the site. It is likely that this experience does not collect the same level of data as the old experience, meaning that some reported phish may escape.

7. Menus & Chords – When Microsoft Office dumped the menus in favor of the ribbon system, they ensured that the old accelerator keys and keyboard chords (e.g. Alt+F,C to “Close tab”) continued to work. Edge makes no such attempt, and thus my muscle memory built up for over a decade now fails.

8. JavaScript Uncontrollable — Unlike nearly every browser, Edge offers no way to disable JavaScript on a per-site or global basis, even to test <noscript> tags.

9. Certificate Inspection — There’s no way to inspect the certificate presented by a HTTPS site.

Bonus Gripes: Windows 10 Issues

1. ~~At 125% Zoom, the Window Title bar is one pixel too short.~~ (Fixed in August)

Embedded image permalink

2. There’s no visual distinction between the title bar and the menu bar in some apps (like Notepad). As a consequence there’s no way to tell whether click & drag will drag the window or do nothing at all.

3. ~~A background licensing service frequently crashes when resuming from sleep; it takes down the WiFi service which runs in the same service host which means you can’t access WiFi after resume~~. Update: fixed by the July 20th update.

4. The experience for making applications default has changed again in Windows 10. While the Windows 8/8.1 experience wasn’t awesome, the Windows 10 experience is a slap in the face to the user. Mozilla is complaining, justifiably.

5. Win10/.NET4.6 carries over the Shell/.NET bug whereby double-clicking any label control copies its text to the clipboard. The behavior change in the comctl32 label control was checked in during Windows Vista by a rogue dev without a spec or an explanation.

6. Windows 10 carries over the Windows 8 regression whereby proxy-change calls are ignored during shutdown.

-Eric

Zopfli All The Things

I’ve written about Zopfli quite a bit in the past, and even wrote a tool to apply it to PNG files. For fun, I had a look at one of the most optimized pages in the world: Google.com, through the lens of Zopfli.

Here are the basic resources delivered by the Google homepage:

Zopfli WhatIf

This breakdown shows that Google isn’t optimizing their own compression using the compressor they wrote. The Savings column shows the number of bytes saved by using Zopfli over whatever Google used to compress the asset. Using the default settings in an ideal world, Google could save up to 16.5k, almost 5% of the bytes transferred, by using Zopfli.

I’ve color-coded the column based on how practical I believe the savings to be—the green numbers are the static images where there’s no question the size benefit could be realized. The yellow numbers are cases where script files are compressed; given the complicated query string parameters, I’m betting these scripts are dynamically generated and the compression cost of Zopfli might not be reasonable. The red number is the homepage itself, which probably isn’t reasonable to Zopfli compress as it certainly is generated dynamically.

So, most likely the savings of a practical Zopfli deployment on the homepage page would be about 3.7kb; savings are much greater on other pages on other sites.

More interesting, however, is the Google API CDN, which hosts scripts for other sites; optimizing these would take a minute or two at most and make every site that uses them faster.

Zopfli savings

Use Zopfli; give the tubes a little bit more room.

-Eric

PS: You may already have zopfli.exe on your system; Fiddler installs a copy to its \Tools\ subfolder!

What I Use–Software Edition

I’ll update this list from time-to-time.

Criteria

The #1 criteria for any software I use is first, do no harm. There’s a lot of great software out there that’s ruined by side-effects, including security problems, performance problems, advertising, and anything else that makes my computer worse for having it installed. In some cases, I’ve simply written my own software (usually uglier and with fewer features) because I’m not willing to compromise on this principle.

What I’m using

Fiddler (free) – For someone who doesn’t really build or test web applications for a living, I still find myriad uses for Fiddler, and I’m always adding more. Current boot count: 13,689.

Chrome (free) – I recently changed my default browser to Chrome on most of my computers. After years of suffering daily crashes in Internet Explorer (known to the IE team, but unfixed), I got tired of waiting for relief. I’m less pleased with Chrome than I hoped to be (their add-ons site is a cesspool of bugs and malware, just like IE’s) but the browser itself is great, and it’s clear that most web developers are building in Chrome first and only later testing in everything else.

Internet Explorer (free) – I use Internet Explorer because it works well with most of the sites I visit, it’s familiar (muscle memory built over a decade), and it supports TPLs, making for a more pleasant browsing experience.

Visual Studio 2013 (commercial) – While I gripe about Visual Studio a fair bit, I can’t imagine using anything else. (I still play with Delphi XE4 once in a while to remind myself how bad things could have gotten.)

SlickRun (free) – This powerful application launcher is one of the first GUI programs I ever built, and it’s now old enough to drink. I’ve modified it over the years to support the latest Microsoft OS’s and hardware (a 64-bit version is now available, for instance) and it remains the first thing I install on every new PC I use. Commands executed: 142,672.

MezerTools (free) – I wrote this simple Software Designer’s toolbox to quickly collect screen-snips, get pixel-perfect measurements (via calipers), and collect color information. You can also quickly convert to/from hex and interact with clipboard text.

Windows Live Writer 2012 (free) – It’s buggy, but better than web-based editors. ~~This tool is on-track to be open-sourced, per Scott Hanselman~~. Now open-source (minus a few features) as OpenLiveWriter.

Windows Live Mail (free) – No-frills email software with solid integration to Hotmail/WindowsLiveMail/Outlook.com/WhateverItIsCalledThisWeek.

File Locator Pro (trialware, freeware) – Windows has flailed around for almost twenty years trying to create a working file search experience. File Locator Pro (and its free cousin, Agent Ransack) neatly fill the gap with powerful search.

EditPad Pro (trialware, freeware) – My favorite text editor offers high-performance (even on obscenely large files), syntax highlighting, a great hex mode, and much more. A freeware version (EditPad Lite) is available, but this software is worth buying. I originally thought that its support for FTP/FTPS was utterly ridiculous “feature bloat”. Then my ISP stopped working with Expression Web (FPSE fell out of support with Win2k3’s retirement) so EditPad has become my primary web authoring tool.

Camtasia (commercial) – The industry-leading screen recording software. It has more features than I’ll ever use, and it’s not cheap. But if I had it to do all over again, I’d buy Camtasia immediately and save myself the hours of wasted effort trying to get lesser software to work.

VLC (freeware) – This media player seems to be able to play back everything I throw at it, and gets updated as new formats arise.

Microsoft Word 2010 (commercial) – I wrote my book using Word 2010 and it worked much better than anything else I tried (more on this in a later post). I tried Office 2013 and uninstalled it quickly—beyond the confusingly “extra flat” user-interface, the later version of Office couldn’t handle my book without slowing to a crawl (“background save” locks the UI for 5-15 seconds).

Paint.NET (freeware, be careful) – When Microsoft Paint can’t do the job, I turn to Paint.NET, a powerful alternative. Warning: Be sure to click the right download link, there are many misleading advertisements on the download page. Also, note that it does a terrible job encoding PNG files, so be sure to recompress them.

Axialis IconWorkshop (trialware) – When I need to build icons, this tool takes the pain away.

Start8 (trialware) – Makes Windows 8 and Windows 8.1 bearable.

7-zip (freeware) – Archive compression and decompression software.

Day One (Mac, commercial) – Journaling software, with the right mix of beauty and power.

-Eric

Google Search Provider in Microsoft Edge

Back in the IE7 days, I built a simple Search Provider Builder that allowed IE users (and later users of other browsers) to add custom search engines to their browser without any changes to the site. Trivia: This hour-long little prototype soon led to a formal effort to put this tool on the IEAddons site; the PM for that project was a new hire who eventually married me. :-)

Microsoft Edge has decided to change course and break the AddSearchProvider API used to add custom search providers based on user-initiated actions. The API works in IE7-IE11, Firefox, and Chrome, but not in Edge. Instead, search providers can only be “discovered” by sites that advertise them. (For the avoidance of doubt, let me say explicitly that I think this is terrible; if you agree, vote here).

For now, you can workaround the Edge browser limitation by visiting this page: Install Edge Search Providers for Google, DuckDuckGo, Wikipedia, and Amazon.

Two other changes were made as a part of the Edge search changes:

Search provider URLs must be HTTPS (yay!)
Search providers may not provide Search Suggestions. All Search Suggestions now come from Bing (boo!) over HTTPS (yay)

-Eric Lawrence

Update: Feb 6, 2017 — This post is still accurate for the very latest Microsoft Edge Insider’s Build 15025.

What I Read–Book Edition

This is a list of books I’ve read recently, with a Twitter-fitting review for each. I’ll update it periodically.

Fiction

The Martian – I greatly enjoyed this book; I was planning to try to get it some attention, but just before I tweeted, I learned it’s about to be a major motion picture. Oops. :-)

Wool – Great dystopian sci-fi. The writer is the closest thing the self-publishing industry has to an evangelist, and he’s awesome at it.

Ready Player One: A Novel – a light, fun read; I loved it.

Mr. Penumbra’s 24-Hour Bookstore – Fun and odd.

Seveneves: A Novel – I love Stephenson’s earlier work, and some of his later work (e.g. Reamde). This one was a mixed bag—it managed to reduce the magic of spaceflight to a boring set of “delta-v”s. On the other hand, every time I considered putting it down, there was a twist that pulled me back in.

Non-Fiction

Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications – If you want an accurate, up-to-date book on TLS, this is the one to buy.

Command and Control: Nuclear Weapons, the Damascus Accident, and the Illusion of Safety – A terrifying and great book; if you don’t know why you should still be afraid of nuclear weapons, you need to read this book.

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon – A great book; reads like a techno-thriller… but it’s non-fiction.

An Astronaut’s Guide to Life on Earth: What Going to Space Taught Me About Ingenuity, Determination, and Being Prepared for Anything – Canadian astronaut Chris Hadfield’s memoir. I wanted to be an astronaut as a kid and this reawoke that interest to a surprising degree. But it also clearly pointed out the trade-offs (37 out of 52 weeks a year on the road) that I couldn’t imagine making with a family.

How to Fail at Almost Everything and Still Win Big: Kind of the Story of My Life – Cartoonist Scott Adams’ memoir and suggestions for success in life; it’s similar in ways to Hadfield’s memoir in being a mix of stories and advice. There were parts of this I really disliked, but there were some great parts too. The best was the repeated advice that goals are for suckers, systems are for winners — similar to Hadfield’s advice, this points out that life is more about the journey than the destination, and if you ever make it about the destination, you’re going to be in very bad shape after you realize you’ve reached it and can’t imagine what to do next.

On Writing Stephen King writes about writing — how he does it and how to do it well. It’s awesome.

Stories I Only Tell My Friends – Rob Lowe’s memoir; I had low expectations, but this book crushed them– it was funny, surprisingly interesting and very well-written.

HTTPS Only Works If You Use It

It should be obvious, but everyone seems to be making the same mistake.

HTTPS only works if you use it. Everywhere.

If you don’t use HTTPS everywhere, a bad guy can intercept an insecure request and prevent the user from reaching your secure site. HSTS is a good start to mitigating the threat of accidentally using an insecure link, but it only helps if you have an HSTS policy set for every domain you will be using.

There’s a big collection of failures to use HTTPS here, but the following are ongoing problems that I’ve been complaining about for a long time now…

IE’s “Domain Suggestions” feature can prioritize insecure suggestions over secure suggestions:

Many major companies (including OS vendors, investment firms, etc) offer HTTPS links in their email… Except they’re not really HTTPS; they’re HTTP links to a “click counter” that is meant to redirect to the secure link. These redirects can be intercepted:

Microsoft OneDrive’s Sharing experience generates secure links by default:

…but the link is made insecure if you click the “Shorten link” button:

The IE Team still hasn’t changed the default Bing search provider to use HTTPS:

Surprisingly, both the Google and Yahoo providers offered are secure, and the Bing provider is secure in Firefox and Chrome. Only IE+Bing is insecure.

The list, sadly, goes on and on.

One of the more esoteric problems I’ve seen is on a site that generally does security quite well: Twitter.

Consider what happens if a user posts a tweet: “I invest with wealthfront.com.” Now I, as a normal human, didn’t spell out https:// in front of that link and Twitter sees it as http://wealthfront.com. This, in itself, might be okay, because WealthFront.com sends a 24 month HSTS policy with the preload attribute, meaning that many browsers will automatically upgrade any http:// reference to https://. That’s great.

Except.

Twitter has some interesting logic in their site. They use a redirector (t.co) to rewrite all hyperlinks, presumably so they can track clicks and block spam or dangerous URLs. When you paste a link into Twitter, it looks to see if the link is to a HTTP target or to a HTTPS target. If it’s to a HTTP target, they use http://t.co and if it’s to a HTTPS target, they use https://t.co.

And here we find the problem. My innocent wealthfront.com reference, which should have been protected by HSTS, has been made insecure because the Twitter folks decided not to use HTTPS everywhere.

Update: They fixed this, now all t.co links are HTTPS.

If you think you’re smart enough not to use HTTPS everywhere, you’re probably wrong.

-Eric

Testing HTTPS In Native APPs

Over on Twitter, Paul asks how to verify that a native application is using TLS.

For a PC, it’s pretty simple, just run Fiddler and watch the traffic. If you see any HTTP requests (other than those labeled “Tunnel to”, indicating a HTTP tunnel used for HTTPS traffic) from the Process of interest, that traffic is insecure and could be intercepted.

Macs and Mobile Devices

For Mac, iOS, Android, Windows Phone, Windows RT or other devices, the first step is to install Fiddler on a Windows or Linux PC (or Virtual Machine) and configure its proxy to point at the Fiddler instance (e.g. that machine’s IP address, port 8888). For now, don’t add the Fiddler root certificate to the device. Launch the application in question and see whether you see insecure HTTP requests. If not, then look to see whether you see any HTTPS requests. If you see only Tunnel to requests but no HTTPS requests, then the app is using HTTPS securely and isn’t willing to accept just any old certificate (like some insecure apps), only a trusted certificate will be accepted. (If you don’t see any traffic at all, try the default browser to make sure you’ve set up the proxy settings properly).

Using Fiddler’s TextView inspector at the top-right of the debugger, you can examine the CONNECT request (“Tunnel to”) Fiddler captured to see which TLS version the client offered, as well as the list of ciphers and extensions the client supports.

If you’d like to see the plaintext of the HTTPS requests, then install the Fiddler root certificate on the device. If you can now see the decrypted requests, the device has a reasonable HTTPS configuration where HTTPS traffic must be signed by a trusted root certificate.

Certificate Pinning

However, if after trusting the root certificate, you can see HTTPS traffic from the device’s primary browser but not the application in question (you still only see only Tunnel to requests) that implies that the app is using Certificate Pinning, whereby only specific certificates (or certificates that have a specific ancestor certificate in their chain) are accepted. To debug the HTTPS traffic from such an application, you’ll need to jailbreak the device and use a tool like the iOS SSL Kill Switch to thunk the HTTPS APIs to allow any certificate. Certificate Pinning is a good security technique, but it can make your application unusable in certain environments.

~~The one exception to this heuristic for detecting certificate pinning logic is Chrome on iOS; that app ignores the iOS trusted root store due to limitations in the platform APIs.~~ Update: In Chrome 48, Chrome for iOS stopped using its own network stack and began using the WkWebView component, which means it uses the iOS native network stack and HTML renderer.

Configuration Quality

Beyond the scenarios described above, you should test your browsers’ and servers’ TLS support using the great tools at SSLLabs.com.

You can more exhaustively test a client (by installing a local agent) using this Linux application, and you can read about why validation of HTTPS certificates in non-browser software is considered “the most dangerous code in the world.”

-Eric

Photoshop and Save For Web

Adobe recently announced that “Save for Web” in Photoshop is a “legacy feature” which won’t be improved. I decided to have a look at Adobe Photoshop CC (2015.0.0 Release 20150529.r88 x64) to see the impact of its many different “save” commands on the resulting file size.

First, I created a trivial 20×20 image and drew a red dot in the middle of it.

Next, I performed the naïve File > Save As > PNG operation. The output is a 16,723 byte PNG file, 97% of which is Adobe metadata:

If I instead use File > Export > Quick Export as PNG, the result is a 571 byte PNG that can be shrunk by 35 bytes to 536 using the Zopfli compressor:

If I instead click File > Export > Export As > PNG, the default size is 608 bytes:

If I untick the “Transparency” checkbox:

…the file grows to 662 bytes. Interestingly, however, when I retick that same box, the file now shrinks down to 571 bytes. A quick investigation shows that unticking and reticking the box silently changes the PNG from a 48 color palette to a RGB/A image, which is smaller in the case of this small image.

If I use the new File > Generate Assets checkbox and name my layer “reddot.png” the automatically-saved PNG file in the PSD’s subfolder is the 608 byte version.

If I choose File > Export > Save for Web (Legacy) and choose to save a PNG-24 file:

… Photoshop reassures me that I’ve made good choices:

… But it’s lying. The information at the bottom left doesn’t account for the 935 bytes of useless metadata embedded in the image:

I need to change the Metadata dropdown to None:

…to get Adobe to omit most of the metadata, although it still wastes 37 bytes of your file advertising Adobe’s product. If you now distill the file, you can save those 37 bytes and pick up a 29 byte improvement in compression for a final file size of 411 bytes.

So, as you can see, Adobe Photoshop can save this simple 477 byte image in sizes ranging from 477 bytes to a whopping 16723 bytes. The Adobe overhead isn’t “fixed”—it can be much larger: a 207K PNG file on Adobe’s website has 132K of metadata in it, while a 49.1K PNG file on Microsoft’s website contains 48.9K of Adobe metadata.

Lessons Learned:

Learn how to use your tools.
Expect your tools to lie to you.
Use an optimizers.

-Eric

Content Blocking: Unintended Consequences

Our company uses a web firewall device called IronPort to attempt to block unwanted network traffic; it blocks access to known phish and malware domains, and, more annoyingly, domains thought to be related to gaming or “questionable” topics (e.g. politics). Whatever.

Today the IT department pushed a new rule set which blocks some requests to domains like s.tagsrvcs.com. Instead of the normal response, you instead get back a HTTP/403 blocking page of type text/html:

That’s fine, I guess (bye-bye trackers).

Except.

Many of the websites I visit (Wired, WashingtonPost, VanityFair, etc) now hang Internet Explorer:

Huh!?! How could blocking a tracker cause the page to hang?

Windbg gives us a great big clue:

Ah ha! The XSS Filter’s regular expression engine is hanging. But why does it hang if the target content is blocked?!?

Because when the target content isn’t blocked, the server returns a HTTP/200 with a zero byte body, and thus nothing that needs to be scanned for an XSS attack.

When the IronPort device blocks a response, it returns a HTTP/403 with the body HTML shown in the first screenshot. Now IE’s XSS filter must run to check to see whether any of the content from the request was reflected into the blocking page. Still, the blocking page response is pretty simple… Hmm… let’s look at the request.

Oh. Yeah, I can see why turning that into a regular expression might take a bit longer than the developers of the XSS Filter might’ve planned for.

So, a few lessons:

Don’t underestimate the collateral damage of blocking content.
If there’s absolutely no chance of a reflection, send an X-XSS-Protection: 0 response header.
As a web developer, choose your third-party dependencies with care. Any of them could break you.
When talking to pointy-haired bosses, webdevs, and designers, refer to HTTPS as “HiFi” to help make it clear that TLS isn’t just some techno mumbo-jumbo– it’s necessary to help ensure the fidelity of the user’s experience.

-Eric