Mike West

@mikewest

Making the web marginally less insecure, one deprecation at a time. I work on Chrome's security team, but my tweets are my own, etc, etc.

München, DE
Joined December 2006

Tweets

You blocked @mikewest

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @mikewest

  1. Pinned Tweet
    Jan 28

    The more I hear people talking about `SameSite`, and trying to explain it to each other, the more I regret literally everything about the spelling choices we made in its design. Naming things is easier in retrospect.

    Undo
  2. Retweeted
    Jan 31

    , , and I are starting a new security blog. In our first write-up, we will discuss the impact of "SameSite by default" and how it affects web app sec. Feel free to request future topics you would like us to cover.

    Undo
  3. Retweeted
    Jan 22

    The time has come to fix that typo in Referer ;)

    Undo
  4. Jan 19

    Not much snow, but just enough to have some fun with the kids this morning!

    Undo
  5. Jan 16

    I think there's a lot of room for more collaboration between browser vendors and academia; this workshop (alongside IEEE Euro S&P in June) might be a good chance to kick off some new conversations!

    Undo
  6. Retweeted
    Jan 15

    💕❤️💕 for all who have worked for a better web and a better world at Mozilla.

    Undo
  7. Retweeted
    Jan 14

    Chrome plans to phase out support for third-party cookies. "Our intention is to do this within two years."

    Undo
  8. Jan 14

    I'm excited about this. The UA string is a mess, somewhat fingerprintable, and legitimate use cases can be better and more clearly served by moving the information to an HTTPS-only client hint (a la ).

    Undo
  9. Jan 8

    I'm quite happy with the effort that colleagues like , , and others clever enough not to be on Twitter put into this set of changes, and I'm looking forward to additional changes across a wider swath of permission UX in 2020 as we learn from this launch.

    Undo
  10. Jan 8

    Feedback would be welcome, either here or as issues/PRs filed on the GitHub repository: . Thanks!

    Show this thread
    Undo
  11. Jan 8

    It's like the CSP: The Good Parts. Most users would be well-served with a policy like `Scripting-Policy: nonce=number-used-once`, and I think even complex deployments can be supported with a limited set of options. We can keep it small and focused, with a clear threat model.

    Show this thread
    Undo
  12. Jan 8

    I took some time to sketch out `Scripting-Policy` in a little more detail: . I'm starting to think it might actually not be a terrible idea.

    Show this thread
    Undo
  13. Retweeted

    An amazingly well written description of the upcoming SameSite cookie enforcement in Chrome 80. If your org makes use of cross-origin cookie access, you’re running out of time to fix before Feb 4. Via

    Undo
  14. 16 Dec 2019

    I think I screwed up Chromium's layering of CSP on top of integrity metadata checks (). :/ Perhaps this is a good time to follow through on adding `integrity` processing to inline script and style blocks?

    Undo
  15. Retweeted
    6 Dec 2019

    What is document.domain? What does it do? Why is it bad? (Thread)

    Show this thread
    Undo
  16. 5 Dec 2019

    Every year, Spotify's "Your top songs!" list reminds me about my previous year's plan to separate _my_ account from the family's Sonos system. On the plus side, I can see exactly which "Bibi Blocksberg" and "Ritter Rost" stories the kids had on repeat... :)

    Undo
  17. 3 Nov 2019

    Behold: something vaguely like a mortice and tenon! Probably not a right angle on the whole piece... 🤪 Turns out, buying tools is not _exactly_ the same as knowing how to use them.

    Undo
  18. Retweeted

    Check out these Mozilla research grant questions, many of them focusing on security and privacy!

    Undo
  19. 24 Oct 2019

    My wife is about to be on a plane to Amsterdam, and I get to goof off with my kids until Tuesday. 🥳 Fair warning: I’ll be even worse at email than usual for the next few days.

    Undo
  20. 16 Oct 2019

    This is a nice presentation of the current XSLeaks state of the art. I'm hopeful about the defense mechanisms we're working on deploying across browsers, but side channels are everywhere. It's a hard set of problems we're going to be busy with for a while...

    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·