Tag Archives: privacy

First Look: Apple’s NEURLFilter API

At WWDC 2025, Apple introduced an interesting new API, NEURLFilter, to respond to a key challenge we’ve talked about previously: the inherent conflict between privacy and security when trying to protect users against web threats. That conflict means that security filtering code usually cannot see a browser’s (app’s) fetched URLs to compare them against availableContinue reading “First Look: Apple’s NEURLFilter API”

Content-Blocking in Manifest v3

I’ve written about selectively blocking content in browsers several times over the last two decades. In this post, I don’t aim to convince you that ad-blocking is good or bad, instead focusing on one narrow topic. Circa 2006, I was responsible for changing IE so that you could simply add an advertising site to theContinue reading “Content-Blocking in Manifest v3”

Security Tradeoffs: Privacy

In a recent post, I explored some of the tradeoffs engineers must make when evaluating the security properties of a given design. In this post, we explore an interesting tradeoff between Security and Privacy in the analysis of web traffic. Many different security features and products attempt to protect web browsers from malicious sites byContinue reading “Security Tradeoffs: Privacy”

Auth Flows in a Partitioned World

Back in 2019, I explained how browsers’ cookie controls and privacy features present challenges for common longstanding patterns for authentication flows. Such flows often rely upon an Identity Provider (IdP) having access to its own cookies both on top-level pages served by the IdP and when the IdP receives a HTTP request from an XmlHttpRequest/fetchContinue reading “Auth Flows in a Partitioned World”

Q: “Remember this Device, Doesn’t?!?”

Q: Many websites offer a checkbox to “Remember this device” or “Remember me” but it often doesn’t seem to work. For example, this option on AT&T’s website shown when prompting for a 2FA code: …doesn’t seem to work. What’s up with that? A: Unfortunately, there’s no easy answer here. There is no browser standard forContinue reading “Q: “Remember this Device, Doesn’t?!?””