Google Chrome–Two(ish) Years In

My first year (2016) on Chrome was both exciting and challenging. Beyond the expected firehose of new things to learn, and foreseen challenges (a second son!), there were unforeseen challenges, like working as a SWE instead of a Developer Advocate, and a long illness.

Overall, my second year (2017) on Chrome was a bit smoother– I was still learning a ton every day, but I finally started to make non-trivial contributions as a developer.

I started to develop a sense of direction when navigating the millions of lines of code that make up Chrome’s multi-process architecture, and did the development work for HTTPBad Phase 2. Building that feature involved sending messages from Blink through Mojo to the Browser process and triggering UI updates, collecting metrics and rolling out the feature gradually via a Chrome Field Trial. Shipping the change on iOS (where Chrome must use WkWebView rather than Blink) was especially tricky as the architecture, toolchain, and testing are all quite different.

I briefly took ownership of maintaining Chrome’s HSTS Preload list and processes and worked with domain registry fTLD in getting the .bank and .insurance top-level-domains added to the preload list. Getting TLDs preloaded is a huge win for security and performance, and hopefully we’ll see more TLDs joining in the near future.

The single biggest productivity improvement of the year was moving from building locally to using Goma for dramatically faster builds. With the benefit of hindsight, I should’ve done this in 2016 and failing to do so was one of the biggest mistakes I’ve made.

Reproducing, reducing, and triaging security issues remained my favorite thing to do, and I got better at identifying which of Chrome’s many experts was best suited to investigate and develop patches. I also made a bunch of updates to Chrome’s public Security FAQ and other documentation, and published some notes on my research into Chrome’s XSS Auditor. I had the chance to do the pre-launch security review for a number of cool features around the product, and work with other Google teams on a number of HTTPS-related issues. I filed 161 issues.

The only constant when working on Chrome is change, and I spent a lot of time keeping up with changes in everything from architecture (Site Isolation!) to tooling, including the move from Reitveld to Gerrit for code review. I also kept the extensions I’ve developed up-to-date with changes and bugfixes, and code-reviewed a few publicly-available extensions, both good and evil.

Speaking of changes…

I’ve learned a ton over the last two years and I’m grateful for having had the opportunity to help keep users safe and work with such a talented group of passionate engineers. I still get dizzy when I think about the size and skillset of the Chrome team, and I’m super-excited about the improvements coming to Chrome in the near future. While progress is never as fast as I’d like, I’m proud to see the real-world web moving toward a more encrypted, secure, and powerful future.

May 29th will be my last day on the Chrome team and at Google. Starting in June, I’ll be heading back to Program Management, working together with a lot of old friends.

browsers, security

My Next Adventure

Back in 2004, I couldn’t get the tiny IE team interested in fixing caching bugs that were causing my team’s website to break in bizarre and unpredictable ways. I figured I’d hop over there, fix some bugs, and move along. I quickly realized that I was hopelessly in love with browsers in general and security in particular. The hours were long, the problems were immense, but it was easy to make a big difference.

After eight years on the IE team, mostly working in Security, I felt like I’d crafted my dream job. I got to work with smart people every day, and help protect the browsing public from some very bad guys. It was very difficult to leave, but Telerik offered me a different dream job—building my side-project, Fiddler, on a full-time basis.

I spent three years here, doing important work on Fiddler to help take it from a side-project to a professional-caliber tool with the features and polish that users expect. And I’ve had a blast.


I’ve missed working on browsers. And on security. While Fiddler has kept me close to that scene, it wasn’t quite close enough. As one of my old leads on the IE team once observed: “No matter what you add to Fiddler, your work on a browser used by almost a billion people will always have a greater impact.”

In the midst of this nostalgic longing, a former colleague posted the following tweet:

Tweet: Join the Chrome Security team

Casual conversations were had. Then more serious conversations. Then interviews. And more interviews.

Philip Su, a brilliant guy whose tech talk inspired me to apply at Microsoft once said: “The team you want to join is the one that’s hard to get into.

Every single person I talked to was smarter than I was. It was crazy-intimidating. And inspiring.

Tweet: Wanna grow? Be the dumbest guy in the room

For my first few years on IE, there was ample speculation that Google would release a browser, presumably some slick skinning of Firefox with all the Google services bolted on. Then Chrome shipped and it was so much more interesting. So many things were done “right” from day 1, and the pace of evolution was amazing. And it wasn’t just the technical guts– I was astonished to see things like the Chrome comic book, which explained things like process isolation and integrity levels in a way that mere mortals could understand. Chrome continued to evolve and grow to take on its role as a platform; ChromeOS now powers a third of the machines in my house. The Chrome team is driving the security of the web as a whole.

I want users to win. To achieve that, I want the web to win, and I want to make life harder for the bad guys every day.

I’m thrilled, excited, honored, and more than a little intimidated to be joining the Chrome Security team on January 4th 2016.

Let the firehose-drinking begin!

Boy being knocked over by a stream of water from a firehose directed at his face