はてなブックマーク

(written August 2020) Chrome engineers are experimenting with Rust. For the foreseeable future, C++ is the reigning monarch in our codebase, and any use of Rust will need to fit in with C++ — not the other way around. This seems to present some C++/Rust interoperability challenges which nobody else has faced. We'd need to solve these before considering Rust as (nearly) a first-class citizen in our

The Chromium project finds that around 70% of our serious security bugs are memory safety problems. Our next major project is to prevent such bugs at source. The problem Around 70% of our high severity security bugs are memory unsafety problems (that is, mistakes with C/C++ pointers). Half of those are use-after-free bugs. (Analysis based on 912 high or critical severity security bugs since 2015,

Tips for testing and debugging SameSite-by-default and “SameSite=None; Secure” cookies (Last updated: Mar 18, 2021) What: An overview of steps you can take to test your site against Chrome’s new SameSite-by-default cookie behavior, and tips for debugging cookie issues that may be related. Who: You should read this if your site provides or depends upon cross-site cookies. Some of these tips will pr

Confused? Start here. Developers: Check out our testing and debugging tips. Adding `SameSite=None; Secure` to your cookies? Check the list of incompatible clients here. Check the list of Frequently Asked Questions (FAQ) for common scenarios and use cases. Launch Timeline Last updated Mar 18, 2021. Latest update: Mar 18, 2021: The flags #same-site-by-default-cookies and #cookies-without-same-site-m

Last updated: Nov 18, 2019 Some user agents are known to be incompatible with the `SameSite=None` attribute. Versions of Chrome from Chrome 51 to Chrome 66 (inclusive on both ends). These Chrome versions will reject a cookie with `SameSite=None`. This also affects older versions of Chromium-derived browsers, as well as Android WebView. This behavior was correct according to the version of the cook

Overview The Privacy Sandbox project’s mission is to “Create a thriving web ecosystem that is respectful of users and private by default.” The main challenge to overcome in that mission is the pervasive cross-site tracking that has become the norm on the web and on top of which much of the web’s ability to deliver and monetize content has been built. Our first principles for how we’re approaching

tl;dr: To improve security, cross-origin fetches will soon be disallowed from content scripts in Chrome Extensions. Such requests can be made from extension background pages instead, and relayed to content scripts when needed. [The document has been edited on 2020-09-17 to reflect that CORS-for-content-scripts has successfully launched in Chrome 85*.]*** Overview When web pages request cross-origi

Web browsers (and other agents, such as password managers) try to make the process of filling out forms as convenient to users as possible, to save time and frustration. However good they are at interpreting web pages, however, there are always a few things you, as a web developer, can make sure to do, to ensure the best experience for your users, by making your web pages accessible. Group related

What versions of QUIC does Chromium support? In June of 2021, Chromium defaults to supporting IETF QUIC draft29 and gQUIC Q050. Are there any documents about how QUIC performs? In 2017, we published a SIGCOMM paper which detailed QUIC's performance. Are there other implementations of QUIC? Yes, there are a number of other independent implementations. See the IETF Wiki for a full list. Can I build

HTTP Strict Transport Security allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, Edge and IE (caniuse.com has a compatibility matrix). The issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of the time. In the latter case, browsers will insert http:// for them. However, H

Developer Recommendations Ultimately we recommend migrating towards HTML5 content, however for sites that still require Flash Player in the interim we recommend presenting users with a link/ image to "Enable" Flash Player that points to "https://get.adobe.com/flashplayer/." When users click on that link Chrome will present the necessary UI to enable Flash Player for the site. It will look somethin

Except as otherwise noted, the content of this page is licensed under a Creative Commons Attribution 2.5 license, and examples are licensed under the BSD License.

At the beginning of 2018, researchers from Google's Project Zero disclosed a series of new attack techniques against speculative execution optimizations used by modern CPUs. Security researchers will continue to find new variations of these and other side-channel attacks. Such techniques have implications for products and services that execute third-party code, including Chrome and other browsers

Overview Site Isolation is a security feature in Chrome that offers additional protection against some types of security bugs. It uses Chrome's sandbox to make it harder for untrustworthy websites to access or steal information from your accounts on other websites. Websites are typically not allowed to access each other's data inside the browser, thanks to code that enforces the Same Origin Policy

Automatically Comprehensible Password Forms You can help ensure that browsers' and extensions' password management functionality can understand your site's sign-up, sign-in and change-password forms by enriching your HTML with a dash of metadata. In particular: Add an autocomplete attribute with a value of username for usernames. If you've implemented an "email first" sign-in flow that separates t

This design document covers technical information about how Site Isolation is built. For a general overview of Site Isolation, see https://www.chromium.org/Home/chromium-security/site-isolation. Motivation Chrome's multi-process architecture provides many benefits for speed, stability, and security. It allows web pages in unrelated tabs to run in parallel, and it allows users to continue using the

Overview This page describes a USB-PD sniffing dongle with Type-C connectors. The dongle can be supported by Chrome devices as part of a USB-Type C implementation. Hardware Capabilities Sniffing USB Power Delivery traffic on both Control Channel lines (CC1/CC2) Transparent interposer on a USB Type-C connection Monitoring VBUS and VCONN voltages and currents (WARNING: VBUS path designed for SPR vol

Eng: dbeam@, dpapad@, dschuyler@, hcarmona@, michaelpg@, stevenjb@, tommycli@ PM: tbuckley@ UX: bettes@ Code Location: chrome/browser/resources/settings, chrome/browser/ui/webui/settings Objective To create a new Settings experience for Chromium/Chromium OS which will implement the material design spec, using web components as a maintainable and modular implementation. Using Visit chrome://md-sett