Welcome, dear reader
I've decided to start blogging again. This blog is about the security architecture of the web platform, where we are today, how we go here, and where we're going tomorrow. My goal is to write one...
View ArticleFoundations: Origin
Every discussion of the security architecture of the web platform should begin with the notion of an origin. An origin is the basic unit of isolation in the web platform. Every object in the browser...
View ArticleIntegrity for sessionStorage
There are many different ways to think about security. I prefer the following approach:Define a set of threat models that describe the attacker's capabilities. For example, the "man-in-the-middle" is...
View ArticleLocal URIs are more equal than others (Part 1)
On Wednesday, Cedric Sodhi asked the WebKit development mailing list why WebKit restricts access to local URIs. This post describes one of the reasons why local URIs are more equal than other URIs....
View ArticleX-Script-Origin, we hardly knew ye
On Thursday, Robert Kieffer filed an interesting bug in both the WebKit and Mozilla bug trackers:WebKit and Mozilla browsers redact the information passed to window.onerror for exceptions that occur in...
View ArticleThe Priority of Constituencies
Lawrence Lessig wrote in Code is Law that the choices we make in writing code embody our values. This observation is especially true when building a browser because the browser mediates interactions...
View ArticleHow I learned to stop worrying and embrace Content-Security-Policy
This week, the W3C Web Application Security working group held its first face-to-face meeting at TPAC, the W3C's annual technical meeting. The main topic of discussion was moving...
View ArticleReferer (sic)
One of the more astonishing facets of the web platform is the Referer header. Whenever you click a link from one web site to another, the request that fetches the web page from the second web site...
View ArticleTiming Attacks on CSS Shaders
CSS Shaders is a new feature folks from Adobe, Apple, and Opera have proposed to the W3C CSS-SVG Effects Task Force. Rather than being limited to pre-canned effects, such as gradients and drop...
View ArticleRFC 6454 and RFC 6455
Today, the IETF published two document: RFC 6454, The Web Origin Concept, and RFC 6455, The WebSocket Protocol. Both these documents started out as sections in the HTML5 specification, which has been...
View Article
