Twitter | Search | |
Mike West
Making the web marginally less insecure, one deprecation at a time. I work on Chrome's security team, but my tweets are my own, etc, etc.
14,419
Tweets
313
Following
6,346
Followers
Tweets
Mike West retweeted
FD Jan 31
, , and I are starting a new security blog. In our first write-up, we will discuss the impact of "SameSite by default" and how it affects web app sec. Feel free to request future topics you would like us to cover.
Reply Retweet Like
Mike West Jan 28
SSO in particular is something that is crying out for explicit support. There's a lot of value in federated auth generally, and I'd like to not throw it out with the bathwater.
Reply Retweet Like
Mike West Jan 28
One way of looking at the general approach Chrome is taking is as a set of "little tricks", each targeting some specific use case. Once we have a bag of them, taking aggressive action in the service of privacy protection is less double-edged.
Reply Retweet Like
Mike West Jan 28
Replying to @aprilmpls
The thrills of hindsight. :(
Reply Retweet Like
Mike West Jan 28
Meh. That wasn’t a great name, because it makes people think that it’s totally fine to argue about what’s powerful enough to be restricted (when the answer, obviously, is _everything_). Also “Secure Context” is terrible. I am bad at naming. :(
Reply Retweet Like
Mike West Jan 28
Replying to @chipswoon
I have a good imagination. :)
Reply Retweet Like
Mike West Jan 28
Replying to @chipswoon
Unfortunately, that price is most likely paid by the folks to whom the smug, smarty-pants developer Explains It All™.
Reply Retweet Like
Mike West Jan 28
Either CORP or CORS is sufficient to pass the COEP check. This is briefly mentioned in #2 of and implicit in step 3 of . There's probably a better place to put that in the doc...
Reply Retweet Like
Mike West Jan 28
The more I hear people talking about `SameSite`, and trying to explain it to each other, the more I regret literally everything about the spelling choices we made in its design. Naming things is easier in retrospect.
Reply Retweet Like
Mike West Jan 28
Replying to @annevk @jaffathecake
Yeah. "kinda sorta if you squint". But you may be right that there's too much subtlety there to easily explain.
Reply Retweet Like
Mike West Jan 28
Replying to @jaffathecake
COEP will accept either a CORS check or a CORP assertion. For the `ACAO: *` case, the checks are quite similar, but the former requires developers to do a little more work to change their request type from no-cors to CORS.
Reply Retweet Like
Mike West Jan 28
Replying to @jaffathecake
ACAO is (kinda sorta if you squint) a superset of CORP. The former makes CORS checks pass, which means the entire resource is explicitly readable by the requestor. The latter merely allows embedding. has some context.
Reply Retweet Like
Mike West Jan 28
Replying to @jaffathecake
Friendly amendment: Resources that assert `ACAO: *` can also safely assert `Cross-Origin-Resource-Policy: cross-site`, which will become important once we collectively ship .
Reply Retweet Like
Mike West retweeted
koto Jan 22
The time has come to fix that typo in Referer ;)
Reply Retweet Like
Mike West Jan 19
Not much snow, but just enough to have some fun with the kids this morning!
Reply Retweet Like
Mike West Jan 17
For the non-academics among us, what are the expectations for a “paper”? (I think this question boils down to “Please explain academia.”, unfortunately…)
Reply Retweet Like
Mike West Jan 16
I think there's a lot of room for more collaboration between browser vendors and academia; this workshop (alongside IEEE Euro S&P in June) might be a good chance to kick off some new conversations!
Reply Retweet Like
Mike West retweeted
Brad Hill Jan 15
💕❤️💕 for all who have worked for a better web and a better world at Mozilla.
Reply Retweet Like
Mike West Jan 15
Replying to @konklone
Also, they may not have told you yet, but you’re going to be contractually obligated to change your name to “Emily”.
Reply Retweet Like
Mike West Jan 15
Replying to @konklone
This is incredibly exciting news. I look forward to fighting with the rest of the security team to give you work to do. :)
Reply Retweet Like