Mike West
@mikewe.st
web browser stuff: security, privacy, safety, etc.
FWIW, CSP is the best thing you can use today, but it's not really built for exfiltration mitigation. We're working on github.com/wicg/connect... with that specific threat model in mind.
GitHub - WICG/connection-allowlists
Contribute to WICG/connection-allowlists development by creating an account on GitHub.
github.com
January 25, 2026 at 4:44 PM
FWIW, CSP is the best thing you can use today, but it's not really built for exfiltration mitigation. We're working on github.com/wicg/connect... with that specific threat model in mind.
I think @arw.me has an electric coffee mug (Ember?) keeping his beverage at a reasonable temperature for some extended period. Perhaps he could pass on a recommendation?
August 8, 2025 at 1:59 PM
I think @arw.me has an electric coffee mug (Ember?) keeping his beverage at a reasonable temperature for some extended period. Perhaps he could pass on a recommendation?
Have you considered writing more about potatoes?
December 15, 2024 at 8:12 PM
Have you considered writing more about potatoes?
On the other hand, knocking down fences is fun, while understanding why fences are there is usually not fun. :(
December 10, 2024 at 9:10 AM
On the other hand, knocking down fences is fun, while understanding why fences are there is usually not fun. :(
Reposted by Mike West
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Modern solutions against cross-site attacks
Modern solutions against cross-site attacks
frederikbraun.de
November 27, 2024 at 7:50 AM
Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.
Reposted by Mike West
There's a good blog post from @april.social about cookie parsing: grayduck.mn/2024/11/21/h...
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
April King — Handling Cookies is a Minefield
Discrepancies in how browsers and libraries handle HTTP cookies, and the problems caused by such things.
grayduck.mn
November 21, 2024 at 8:39 PM
There's a good blog post from @april.social about cookie parsing: grayduck.mn/2024/11/21/h...
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...
Some things have improved, but cookies are still a bit of a design fail.
Do you, like me, periodically need to produce a base64-encoded SHA-2 hash of some text? Have you found existing online generator tools to be slightly annoying in some minor way that doesn't precisely fit your workflow? Well, here's another that will annoy you in _different_ ways:
sha2.it
sha2.it
SHA2 digest generator
sha2.it
November 20, 2024 at 9:48 AM
Do you, like me, periodically need to produce a base64-encoded SHA-2 hash of some text? Have you found existing online generator tools to be slightly annoying in some minor way that doesn't precisely fit your workflow? Well, here's another that will annoy you in _different_ ways:
sha2.it
sha2.it
You're entirely right. The promises signatures can make are different in kind, but hopefully no less useful. wicg.github.io/signature-ba... and wicg.github.io/signature-ba... get at the distinctions to some extent, and I'd welcome additions to those descriptions.
Signature-based Integrity
wicg.github.io
November 19, 2024 at 2:53 PM
You're entirely right. The promises signatures can make are different in kind, but hopefully no less useful. wicg.github.io/signature-ba... and wicg.github.io/signature-ba... get at the distinctions to some extent, and I'd welcome additions to those descriptions.
It's unfortunate that this is _also_ the way to discover whether food is untasty.
November 19, 2024 at 7:03 AM
It's unfortunate that this is _also_ the way to discover whether food is untasty.
Reposted by Mike West
Security Signals: Making Web Security Posture Measurable At Scale
research.google
November 17, 2024 at 1:02 PM
wicg.github.io/signature-ba... seems likely to depend on this mechanism; it's going to be necessary to spell out unambiguous approaches to those decision points that make it clear how to generate and validate signatures in a consistent way on both the server and the client.
Signature-based Integrity
wicg.github.io
November 17, 2024 at 6:08 PM
wicg.github.io/signature-ba... seems likely to depend on this mechanism; it's going to be necessary to spell out unambiguous approaches to those decision points that make it clear how to generate and validate signatures in a consistent way on both the server and the client.
I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? 🤷
www.rfc-editor.org/rfc/rfc9421....
www.rfc-editor.org/rfc/rfc9421....
RFC 9421: HTTP Message Signatures
This document describes a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over components of an HTTP message. This mechanism supports use cases where...
www.rfc-editor.org
November 17, 2024 at 6:02 PM
I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? 🤷
www.rfc-editor.org/rfc/rfc9421....
www.rfc-editor.org/rfc/rfc9421....
Daniel Stenberg's notes from this week's HTTP Workshop are a nice way of catching up on smart folks' thoughts about the present and future of your favorite transport protocol:
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
The 2024 HTTP Workshop
Day one. For the sixth time, this informal group of HTTP implementers and related "interested parties" unite in a room over a couple of days doing a HTTP Workshop. Nine years since that first event in...
daniel.haxx.se
November 15, 2024 at 5:40 PM
Daniel Stenberg's notes from this week's HTTP Workshop are a nice way of catching up on smart folks' thoughts about the present and future of your favorite transport protocol:
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
Day 1: daniel.haxx.se/blog/2024/11...
Day 2: daniel.haxx.se/blog/2024/11...
Day 3: daniel.haxx.se/blog/2024/11...
I set up this account, then nerdsniped myself right past the process of crafting a witty and enticing "Hello, world!" post to instead spend a few minutes trying to figure out whether Bluesky supported security keys rather than email for 2FA.
It apparently doesn't. 🤷
It apparently doesn't. 🤷
November 15, 2024 at 4:12 PM
I set up this account, then nerdsniped myself right past the process of crafting a witty and enticing "Hello, world!" post to instead spend a few minutes trying to figure out whether Bluesky supported security keys rather than email for 2FA.
It apparently doesn't. 🤷
It apparently doesn't. 🤷