Guest Blog Post - Attacking the DevTools
Posted Jul 21, 2021 2021-07-21T09:00:00-07:00 by David Erceg In this post, we’ve invited David Erceg, one of the participants in the Edge bug bounty program, to talk about interesting bugs he found in Edge. By sharing this information, we hope more security researchers are motivated to work with us to improve the security of Edge and Chromium as a whole. IntroductionWithin Chromium and its derivat
Increasing HTTPS adoption
$200K 1 10th birthday 4 abusive ads 1 abusive notifications 2 accessibility 3 ad blockers 1 ad blocking 2 advanced capabilities 1 android 2 anti abuse 1 anti-deception 1 background periodic sync 1 badging 1 benchmarks 1 beta 83 better ads standards 1 billing 1 birthday 4 blink 2 browser 2 browser interoperability 1 bundles 1 capabilities 6 capable web 1 cds 1 cds18 2 cds2018 1 chrome 35 chrome 81
An updated timeline for Privacy Sandbox milestones
Today, we’re sharing the latest on the Privacy Sandbox initiative including a timeline for Chrome’s plan to phase out support for third-party cookies. While there’s considerable progress with this initiative, it's become clear that more time is needed across the ecosystem to get this right. The Privacy Sandbox initiative aims to create web technologies that both protect people’s privacy online and
Privacy analysis of FLoC | The Mozilla Blog
In a previous post, I wrote about a new set of technologies “Privacy Preserving Advertising”, which are intended to allow for advertising without compromising privacy. This post discusses one of those proposals–Federated Learning of Cohorts (FLoC)–which Chrome is currently testing. The idea behind FLoC is to make it possible to target ads based on the interests of users without revealing their bro
GitHub - mikewest/coop-by-default: Wouldn't it be nice if `Cross-Origin-Opener-Policy` was applied by default?
When a web application opens another origin in a window, it obtains a JavaScript reference to that context that it can reach through to poke at various things. The opened context likewise receives a reference to its opener which provides similar access. This communication channel between the two windows enables attacks both at the web API level (postMessage vulnerabilities, navigation trickery, an
GitHub - mikewest/deprecating-document-domain: `document.domain` intentionally weakens the only security boundary we have. Perhaps we can dump it?
The primary security boundary of the World Wide Web is the origin. The same-origin policy guarantees that one web page cannot access (modify, or extract data from) another page, unless those pages are hosted on the same origin. Several pages within an origin can fully cooperate as a single website, but pages from different origins are isolated and cannot interfere with each other. The same origin
Using Fake Reviews to Find Dangerous Extensions – Krebs on Security
Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here’s the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed
FLoCとはなにか - ぼちぼち日記
1. はじめに Google がChrome/89よりトライアルを開始しているFLoC (Federated Learning of Cohorts)技術に対して、現在多くの批判が集まっています。 批判の内容は様々な観点からのものが多いですが、以前より Privacy Sandbox に対して否定的な見解を示してきたEFFの批判「Google Is Testing Its Controversial New Ad Targeting Tech in Millions of Browsers. Here’s What We Know.」が一番まとまっているものだと思います。 これまで Privacy Sandbox 技術に関わってきた身としては、各種提案の中でFLoCは特にユーザへの注意が最も必要なものだと思っていました。しかし、これまでのド直球なGoogleの進め方によって、FLoCのトラ
Spectre の影響を受けないウェブを作るための概念実証について
.app 1 .dev 1 #11WeeksOfAndroid 13 #11WeeksOfAndroid Android TV 1 #Android11 3 #DevFest16 1 #DevFest17 1 #DevFest18 1 #DevFest19 1 #DevFest20 1 #DevFest21 1 #DevFest22 1 #DevFest23 1 #hack4jp 3 11 weeks of Android 2 A MESSAGE FROM OUR CEO 1 A/B Testing 1 A4A 4 Accelerator 6 Accessibility 1 accuracy 1 Actions on Google 16 Activation Atlas 1 address validation API 1 Addy Osmani 1 ADK 2 AdMob 32 Ads
Spectre
This site hosts a proof of concept for the Spectre vulnerability written in JavaScript. It was developed and optimized for Chrome 88 running on an Intel® Core™ i7-6500U processor on Linux. While it was confirmed to work on other CPUs (different vendor and/or generation), operating systems and Chromium flavors, you might have to adjust the configuration and it might work less reliably (or not at al
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
https://bugs.chromium.org/p/chromium/issues/detail?id=1065085
https://bugs.chromium.org/p/chromium/issues/detail?id=1176753
Intent to Experiment: Cross-Origin-Embedder-Policy: credentialless
credentiallessness/explainer.md at main · WICG/credentiallessness
GitHub - mikewest/embedding-requires-opt-in: Embedding a document (via `<iframe>`, etc) should require explicit opt-in from the embedee.
From security as opt-in to security by default | Session
PartitionAlloc Design
quota-storage-partitioning/explainer.md at main · wanderview/quota-storage-partitioning
Detecting the FLoC opt-out HTTP Header
Intent to Prototype: SameParty cookie attribute