Profile

Cover photo
Mike West
Works at Google
Attended University of Texas: Austin
Lives in Munich, Germany
11,945 followers|1,035,084 views
AboutPostsPhotos+1's

Stream

Mike West

Shared publicly  - 
 
Awesome!
 
Yay, Facebook is using HSTS! Their response header pins the certificate for 30 days (2592000 seconds): prevents MITM attacks, makes the browser automatically rewrite all requests to HTTPS.. aka, no costly redirects!

For a great intro to HSTS check out this article by +Mike West: http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
24
3
Abraham Williams's profile photoBéla Varga's profile photo
Add a comment...

Mike West

Shared publicly  - 
 
Our first Christmas tree in the new house. It's a very nice way to begin the holidays.

I'll be out of the office and hopefully paying less attention than usual to the internet until early January. Happy holidays to you all, and a good start in the new year.
42
Ingolf Sander's profile photo
 
Happy holidays to Elisabeth and you as well!
Add a comment...

Mike West

Shared publicly  - 
 
Frontend Security

https://mikewest.org/2013/09/frontend-security-frontendconf-2013 is a wrap-up of slides, video, and an annotated transcript of my "Frontend Security" talk from last month's Frontend Conference in Zürich.

I'm quite happy with how the presentation turned out; I think there's a good bit of useful information there, and a bunch of links to articles I think are well worth reading.

Take a few minutes to follow along at home: you won't be disappointed.

(Thanks to Google's transcription budget (yay!), and +Brad Hill, whose "Odysseus and the Sirens" metaphor I've once again stolen wholesale: love it!)
20
30
Mike Schmidt's profile photoJulio Castillo Anselmi's profile photoFrancisco R. Tarulla's profile photoManoj Kumar S's profile photo
6 comments
 
thank you for project .
Add a comment...

Mike West

Shared publicly  - 
 
Some nice improvements to 'window.onerror' in Blink.

After working with Blink's implementation of `window.onerror` over the last week or so, I'm a bit surprised that anyone ever used it for anything useful at all. The good news is that a few nice improvements have landed recently that should make your life simpler. I've highlighted a few at https://mikewest.org/2013/08/debugging-runtime-errors-with-window-onerror.

Two of those are interesting enough to pull out here:

1. An 'error' parameter has been added to both the 'window.onerror' handler, and to the 'ErrorEvent' interface. This means that you can grab the actual exception that was thrown and process the stack trace, which is a huge win: http://crbug.com/147127

2. Blink no longer sanitizes the exception details for scripts loaded with a 'crossorigin' attribute, and served with appropriate CORS headers. This means that you can serve scripts from a CDN (as you ought!), but still get relevant details when reporting errors: http://crbug.com/159566. Important to note, however, is that you'll need to do some good testing here. If the server doesn't send the right headers, scripts loaded with a 'crossorigin' attribute will fail to load entirely.

I'd appreciate you folks running out and banging on these features in Canary. The 'error' object is already out in today's Canary, and CORS support should be popping out tomorrow or early next week, depending on how things go. I expect there to be edge cases I missed, so feedback is much appreciated. :)

File bugs at http://crbug.com/new, and ping me with the bug IDs. I'll make sure to take a look.

Thanks to +Adam Barth+Christophe Dumez, +Michael Starzinger, +Jochen Eisinger, +Adam Klein, +Yang Guo, and Dan Doesntusegoogleplus for going over the patches with a fine-toothed comb before they landed. :)
After working with Blink's implementation of `window.onerror` a little bit over the last week or so, I'm somewhat amazed that anyone ever used it for anything at all. Happily, we've made some big improvements in the last week or two that I think it's worth highlighting here.
17
7
Eric Bidelman's profile photoThomas Ewerton (Thomasflx)'s profile photo
Add a comment...

Mike West

Shared publicly  - 
 
This presentation from Velocity 2012 is very well prepared argument for analyzing the outliers in your performance data. If you have ~19 minutes to spare, take a look. I think you'll enjoy it.

(Hat tip to +William Chan for the link on blink-dev)

Velocity 2012: John Rauser, "Investigating Anomalies"
13
5
Pedro Luz (narven)'s profile photoGabor Orosz's profile photoMuhammad Noman's profile photoMatt Dragon's profile photo
 
Added to my watch later / weekend viewing. Thanks!
Add a comment...

Mike West

Shared publicly  - 
 
If you'll be in or around Zürich at the end of August, swing by the doc sprint. We'll be happy to see you there!
 
Switzerlands first +Web Platform Doc Sprint is on in Zurich!

Join us August 28, back to back with the fine FEC13 Frontend Conference, in cozy Colab Zurich and let myself, +Chris Mills, +Mike West, +Rodney Rehm and other fellows guide you to help document the web platform and improve the WebPlatform.org user experience!

Find all details and please sign up here:
http://wpds-zurich.eventbrite.com/
3
1
David Maciejewski's profile photoMike West's profile photoMichel Racic (rac)'s profile photo
7 comments
 
+David Maciejewski Sure, we can certainly make something work. :)
Add a comment...
Have him in circles
11,945 people
Valdnei Pinto's profile photo
Danielle Kangas's profile photo
Christian Keller's profile photo
Eoghan Murphy's profile photo
Christina Heikkila's profile photo
Dylan Tittel's profile photo
Andrew Clark's profile photo
Tomas Aparicio's profile photo
Artisan Expert's profile photo

Mike West

Shared publicly  - 
 
I agree with +Alexis Moussine-Pouchkine; this talk is worth your time to watch. :)
 
Do yourself and your users a favor and watch this (free) Web Security talk by +Mike West from #devoxx  
26
10
Rouven Volk's profile photoKashif Ansari's profile photoIngo Bente's profile photoMark Bridge's profile photo
3 comments
 
Hi
Add a comment...

Mike West

Shared publicly  - 
 
I spoke about the secure bits of the web platform at the GOTO conference in Aarhus (#gotoaar), and I think it turned out pretty well. As you might expect, Content Security Policy plays a large role. :)

The talk itself is ~40 minutes long, with ~10 minutes of Q/A afterwards.

Enjoy!
12
4
Thomas Schranz's profile photoTobias Sailer's profile photoJimmy Thomas's profile photoIvaylo Bakalov's profile photo
7 comments
 
+Mike West Please do!
Add a comment...

Mike West

Shared publicly  - 
 
Cross-site scripting attacks are a thing, really, and I had the opportunity to discuss them at +CSSConf EU this year. I've wrapped up the video and slides at https://mikewest.org/2013/09/xss-no-the-other-s-cssconfeu-2013. Please do take a look, I think it'll be a half-hour of your life well-spent.

Video: [CSSconf.eu 2013] Mike West - XSS. (No, the _other_ "S")

Slides: https://speakerdeck.com/mikewest/xss-no-the-other-s-cssconf-eu-2013

Special thanks to +Mario Heiderich  from whose wonderful paper "Scriptless Attacks - Stealing the Pie Without Touching the Sill", I stole most of the talk's attack-based content: http://www.nds.rub.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf
22
37
Alexander Conroy (Geilt)'s profile photoBen Vanasse's profile photoIon D. Filho's profile photoBilli Ryan's profile photo
2 comments
 
+Christoph Mewes Thanks! Glad you enjoyed it! :)
Add a comment...

Mike West

Shared publicly  - 
 
Useless error messages (in Blink) considered harmful.

+Erik Arvidsson landed a heroic series of patches recently to make Blink capable of generating exceptions with actually useful messages, as opposed to the generic "SecurityError: An attempt was made to break through the security policy of the user agent."-style uselessness. Now that we're capable of having decent error messages, there's a long slog ahead of us through hundreds of callsites. I'd appreciate your help prioritizing things.

https://docs.google.com/forms/d/17DguWRQgMdKtSjXYb8vJJKSY-WO92gHIsWd3FAfOhh0/viewform is a ~3 question survey. If an error message (or lack thereof!) has made you rip your hair our recently, tell me about it. Bonus points if you can help me reproduce it so I can write a test!

You can follow along at home by starring http://crbug.com/152678, where I'll be filing bugs that you folks report. If you add your email address to the form, I'll even CC you on the bug. That's service!

Thanks for your time. It'll make Blink better for everyone. :)
Drive
Error Messages: 2013-08Hello, lovely web developer! Not every console error or exception message that Chrome generates is amazingly helpful. Some are, in fact, frustratingly useless. "SecurityError: An attempt was made to break through the security policy of the user agent." for example. What attempted what? Which policy did it violate? What the heck are we even talking about?! We'd like to make things better. I think we'll end up auditing most/all of the messages, ...
5
5
Negawa Keitaro's profile photoPaul Kinlan's profile photo
Add a comment...

Mike West

Shared publicly  - 
 
I'm slowly sliding back into The World Out There™ after a few weeks of paternity leave with these three lovely ladies. If you've sent me an email in the last two months or so that I haven't replied to (and it's still relevant?), you can safely assume I'm never going to see it. Please send it again. :)
29
Carlo Zottmann's profile photo
 
<3
Add a comment...

Mike West

Shared publicly  - 
 
FYI: We finally got around to renaming the "Enable experimental WebKit features" flag in Chromium. If you'd like to play around with the latest and greatest that's landing in Blink, then chrome://flags/#enable-experimental-web-platform-features is the flag you'll want to flip in today's Canary.
File. u : up to issue. m : publish + mail comments. M : edit review message. j / k : jump to file after / before current file. J / K : jump to next file with a comment after / before current file. Side-by-side diff. i : toggle intra-line diffs. e : expand all comments. c : collapse all comments ...
19
5
Lenny Tang's profile photoMasataka Yakura's profile photoVivian Cromwell's profile photoDaniel Kurka's profile photo
7 comments
 
Cool, guess that I need to get my WIP committed ASAP then :)
Add a comment...
People
Have him in circles
11,945 people
Valdnei Pinto's profile photo
Danielle Kangas's profile photo
Christian Keller's profile photo
Eoghan Murphy's profile photo
Christina Heikkila's profile photo
Dylan Tittel's profile photo
Andrew Clark's profile photo
Tomas Aparicio's profile photo
Artisan Expert's profile photo
Work
Occupation
Software Engineer for Google Chrome
Skills
Web stuff.
Employment
  • Google
    Developer Advocate, 2010 - present
  • Sueddeutsche.de
    Senior Web Developer, 2008 - 2010
  • Yahoo
    Web Developer, 2005 - 2008
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
Munich, Germany
Previously
Austin, TX - Plano, TX
Contact Information
Work
Email
Story
Tagline
I like the web.
Introduction
I'm a philosophy student cleverly disguised as an experienced and successful web developer, now working on Google's Chrome team.
Bragging rights
I work on Blink and Chromium (and sometimes WebKit).
Education
  • University of Texas: Austin
  • Stuttgart Universitat (nur Sprachschule)
Basic Information
Gender
Male
Looking for
Friends, Networking
Relationship
Married
Other names
mikewest, mkwst, michael west
Mike West's +1's are the things they like, agree with, or want to recommend.
HTML5 Rocks - An Introduction to Content Security Policy
www.html5rocks.com

Mitigate the risk of cross-site scripting attacks by whitelisting trusted origins with a Content Security Policy.

Brenner
plus.google.com

Brenner hasn't shared anything on this page with you.

The Wheel of Time - Wikipedia, the free encyclopedia
en.wikipedia.org

portrait The original cover of the first book in the series. See list of books in series. Author, Robert Jordan and Brandon Sanderson. Cover