Resolve Network Errors by deleting cookies for a single website.
Tag Archives: browsers
Securely Displaying URLs
One of my final projects on the Chrome team was writing an internal document outlining Best Practices for Secure URL Display. Yesterday, it got checked into the public Chromium repro, so if this is a topic that interests you, please have a look! Additionally, at Enigma 2019, the Chrome team released Trickuri (pronounced “trickery”) a tool forContinue reading “Securely Displaying URLs”
Private Browsing Mode
Note: This blog post was originally written before the new Chromium-based Microsoft Edge was announced. As a consequence, it includes discussion of the behavior of the Legacy Microsoft Edge browser. The new Chromium-based Edge behaves largely the same way as Google Chrome. Last Update: 13 June 2025 InPrivate Mode was introduced in Internet Explorer 8Continue reading “Private Browsing Mode”
An Update on the Edge XSS Filter
In Windows 10 RS5 (aka the “October 2018 Update”), the venerable XSS Filter first introduced in 2008 with IE8 was removed from Microsoft Edge. The XSS Filter debuted in a time before Content Security Policy as a part of a basket of new mitigations designed to mitigate the growing exploitation of cross-site scripting attacks, joining older features like HTTPOnlyContinue reading “An Update on the Edge XSS Filter”
Streaming Audio in Edge
This issue report complains that Edge doesn’t stream AAC files and instead tries to download them. It notes that, in contrast, URLs that point to MP3s result in a simple audio player loading inside the browser. Edge has always supported AAC so what’s going on? The issue here isn’t about AAC, per-se; it’s instead about whether or notContinue reading “Streaming Audio in Edge”
Cookie Controls, Revisited
Update: The October 2018 Cumulative Security Update (KB4462919) brings the RS5 Cookie Control changes described below to Windows 10 RS2, RS3, and RS4. Note: Most of the content about “Edge” in this post describes Edge Legacy– modern Edge is based on Chromium and behaves mostly like Chrome. See more discussion of 3P cookies in 2022’s NewContinue reading “Cookie Controls, Revisited”
ERROR_INSUFFICIENT_BUFFER and Concurrency
Many classic Windows APIs accept a pointer to a byte buffer and a pointer to an integer indicating the size of the buffer. If the buffer is large enough to hold the data returned from the API, the buffer is filled and the API returns S_OK. If the buffer supplied is not large enough toContinue reading “ERROR_INSUFFICIENT_BUFFER and Concurrency”
Edge Interop Issues
As we finish up the next release of Windows 10 (Fall 2018), my team is hard at work triaging incoming bugs. Many such bugs take the form “Edge does the wrong thing for this page. ${Other_Browser} works okay.” This post is designed to be an (ever-growing) index of some of the behavioral deltas that areContinue reading “Edge Interop Issues”
Stop Spilling the Beans
I’ve written about Same Origin Policy a bunch over the years, with a blog series mapping it to the Read/Write/Execute mental model. More recently, I wrote about why Content-Type headers matter for same-origin-policy enforcement. I’ve just read a great paper on cross-origin infoleaks and current/future mitigations. If you’re interested in browser security, it’s definitely worth a read.
Fight Phish with Facebook (and Certificate Transparency)
As of April 30th 2018, Chrome now requires that all certificates issued by a public certificate authority be logged in multiple public Certificate Transparency (CT) logs, ensuring that anyone can audit all certificates that have been issued. (Update: Microsoft Edge 79+ also mandates CT). CT logs allow site owners and security researchers to much more easily detectContinue reading “Fight Phish with Facebook (and Certificate Transparency)”
text/plain 