|
Mike West
@
mikewest
München, DE
|
|
Making the web marginally less insecure, one deprecation at a time. I work on Chrome's security team, but my tweets are my own, etc, etc.
|
|
|
14,419
Tweets
|
313
Following
|
6,346
Followers
|
| Tweets |
| Mike West retweeted | ||
|
FD
@filedescriptor
|
Jan 31 |
|
@ngalongc, @EdOverflow, and I are starting a new security blog.
In our first write-up, we will discuss the impact of "SameSite by default" and how it affects web app sec. Feel free to request future topics you would like us to cover.
blog.reconless.com/samesite-by-de… pic.twitter.com/5R23YmpksT
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
SSO in particular is something that is crying out for explicit support. There's a lot of value in federated auth generally, and I'd like to not throw it out with the bathwater.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
One way of looking at the general approach Chrome is taking is as a set of "little tricks", each targeting some specific use case. Once we have a bag of them, taking aggressive action in the service of privacy protection is less double-edged.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
The thrills of hindsight. :(
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
Meh. That wasn’t a great name, because it makes people think that it’s totally fine to argue about what’s powerful enough to be restricted (when the answer, obviously, is _everything_). Also “Secure Context” is terrible.
I am bad at naming. :(
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
I have a good imagination. :)
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
Unfortunately, that price is most likely paid by the folks to whom the smug, smarty-pants developer Explains It All™.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
Either CORP or CORS is sufficient to pass the COEP check. This is briefly mentioned in #2 of mikewest.github.io/corpp/#intro and implicit in step 3 of mikewest.github.io/corpp/#corp-ch…. There's probably a better place to put that in the doc...
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
The more I hear people talking about `SameSite`, and trying to explain it to each other, the more I regret literally everything about the spelling choices we made in its design.
Naming things is easier in retrospect.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
Yeah. "kinda sorta if you squint". But you may be right that there's too much subtlety there to easily explain.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
COEP will accept either a CORS check or a CORP assertion. For the `ACAO: *` case, the checks are quite similar, but the former requires developers to do a little more work to change their request type from no-cors to CORS.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
ACAO is (kinda sorta if you squint) a superset of CORP.
The former makes CORS checks pass, which means the entire resource is explicitly readable by the requestor. The latter merely allows embedding.
mikewest.github.io/corpp/#why-not… has some context.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 28 |
|
Friendly amendment: Resources that assert `ACAO: *` can also safely assert `Cross-Origin-Resource-Policy: cross-site`, which will become important once we collectively ship mikewest.github.io/corpp/.
|
||
|
|
||
| Mike West retweeted | ||
|
koto
@kkotowicz
|
Jan 22 |
|
The time has come to fix that typo in Referer ;) twitter.com/kcotsneb/statu…
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 19 |
|
Not much snow, but just enough to have some fun with the kids this morning! pic.twitter.com/TfUzT9jnDQ
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 17 |
|
For the non-academics among us, what are the expectations for a “paper”? (I think this question boils down to “Please explain academia.”, unfortunately…)
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 16 |
|
I think there's a lot of room for more collaboration between browser vendors and academia; this workshop (alongside IEEE Euro S&P in June) might be a good chance to kick off some new conversations! twitter.com/kcotsneb/statu…
|
||
|
|
||
| Mike West retweeted | ||
|
Brad Hill
@hillbrad
|
Jan 15 |
|
💕❤️💕 for all who have worked for a better web and a better world at Mozilla.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 15 |
|
Also, they may not have told you yet, but you’re going to be contractually obligated to change your name to “Emily”.
|
||
|
|
||
|
Mike West
@mikewest
|
Jan 15 |
|
This is incredibly exciting news. I look forward to fighting with the rest of the security team to give you work to do. :)
|
||
|
|
||