Chromium Internals: PAK Files

Web browsers are made up of much more than the native code (mostly compiled C++) that makes up their .exe and .dll files. A significant portion of the browser’s functionality (and bulk) is what we’d call “resources”, which include things like: Images (at two resolutions, regular and “high-DPI”) Localized UI Strings HTML, JavaScript, and CSSContinue reading “Chromium Internals: PAK Files”

Chromium’s DNS Cache

From the mailbag: Q: How long does Chromium cache hostnames? I know a user can clear the hostname cache using the Clear host cache button on about://net-internals/#dns, but how long it will take for the cache to be removed if no manual action is taken? After changing DNS records on my server, nslookup from aContinue reading “Chromium’s DNS Cache”

Smarter Defaults by Paying Attention

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions of varying levels of importance: should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sentContinue reading “Smarter Defaults by Paying Attention”

MHTML in Chromium

The MHTML file format (aka “Webpage, single file”) allows a single file to contain the multiple resources that are used to load a webpage (script, css, images, etc). Edge (Chromium) has code to provide limited support for MHTML, though it retains an option to use the format when saving the current page via Ctrl+S orContinue reading “MHTML in Chromium”

Download Blocking by File Type

I’ve previously gushed about the magic of the File Type Policies component — a mechanism that allows files to be classified by their level of “dangerousness”, such that harmless files (e.g. .txt files) can be downloaded freely, whilst potentially-dangerous files (e.g. .dll files) are subjected to a higher degree of vetting and a more security-consciousContinue reading “Download Blocking by File Type”

Per-Site Permissions in Edge

Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a simple syntax with limited wildcarding support. Settings Page’s Site Permissions and Group Policy Internet ExplorerContinue reading “Per-Site Permissions in Edge”

window.close() Restrictions

Sometimes, Web Developers are surprised to find that the window.close() API doesn’t always close the browser window. When looking at the Developer Tools console, they’ll see a message like: Scripts may close only the windows that were opened by them. Why Do Browsers Limit close()? Before we dive into what factors govern what happens whenContinue reading “window.close() Restrictions”

Simply Making Simple Fixes Simple for Chromium

Google recently introduced a cool web-based editing tool for Chromium source code, a very stripped down version of the Willy Wonka tooling Googlers get to use for non-Chromium projects. I’ve used this tool to submit two trivial change lists (CLs, aka PRs) to Chromium, but I was curious about whether this new feature would workContinue reading “Simply Making Simple Fixes Simple for Chromium”

Client Certificates and Logout

Last Updated May 16, 2022 Back in May 2020, I wrote about Client Certificate Authentication, a mechanism that allows websites to strongly validate the identity of their visitors using certificates presented by the visitor’s browser. One significant limitation for client certificate authentication is that there is no standards-based mechanism for a user to “log out”Continue reading “Client Certificates and Logout”