Tag Archives: privacy

Thoughts on DNS-over-HTTPS

Updated November 30, 2020 with new information about DoH in Edge, ECH, and HTTPSSVC records, and January 25, 2021 with a few remarks about Edge’s implementation. Type https://example.com in your web browser’s address bar and hit enter. What happens? Before connecting to the example.com server, your browser must convert “example.com” to the network address atContinue reading “Thoughts on DNS-over-HTTPS”

Improving Privacy by Limiting Referrers

Updated July 31, 2020 to reflect changes planned to ship in Chrome 85 and Edge 86. As your browser navigates from page to page, servers are informed of the URL from where you’ve come from using the Referer HTTP header1; the document.referrer DOM property reveals the same information to JavaScript. Similarly, as the browser downloads theContinue reading “Improving Privacy by Limiting Referrers”

Same-Site Cookies By Default

The Chrome team is embarking on a clever and bold plan to change the recipe for cookies. It’s one of the most consequential changes to the web platform in almost a decade, but with any luck, users won’t notice anything has changed. But if you’re a web developer, you should start testing your sites andContinue reading “Same-Site Cookies By Default”

Web-to-App Communication: App Protocols

Note: This post is part of a series about Web-to-App Communication techniques.Last updated: June 4, 2025 Just over eight years ago, I wrote my last blog post about App Protocols, a class of URI schemes that typically1 open another program on your computer instead of returning data to the web browser. A valid scheme name isContinue reading “Web-to-App Communication: App Protocols”

Challenges with Federated Identity in modern browsers

Many websites offer a “Log in” capability where they don’t manage the user’s account; instead, they offer visitors the ability to “Login with <identity provider>.” When the user clicks the Login button on the original relying party (RP) website, they are navigated to a login page at the identity provider (IP) (e.g. login.microsoft.com) and then redirectedContinue reading “Challenges with Federated Identity in modern browsers”