Profile cover photo
Profile photo
Mike West
I like the web.
I like the web.

Mike's posts

Post has shared content
Yay, Facebook is using HSTS! Their response header pins the certificate for 30 days (2592000 seconds): prevents MITM attacks, makes the browser automatically rewrite all requests to HTTPS.. aka, no costly redirects!

For a great intro to HSTS check out this article by +Mike West:

Post has shared content
I agree with +Alexis Moussine-Pouchkine; this talk is worth your time to watch. :)
Do yourself and your users a favor and watch this (free) Web Security talk by +Mike West from #devoxx  

Post has attachment
Our first Christmas tree in the new house. It's a very nice way to begin the holidays.

I'll be out of the office and hopefully paying less attention than usual to the internet until early January. Happy holidays to you all, and a good start in the new year.

Post has attachment
I spoke about the secure bits of the web platform at the GOTO conference in Aarhus (#gotoaar), and I think it turned out pretty well. As you might expect, Content Security Policy plays a large role. :)

The talk itself is ~40 minutes long, with ~10 minutes of Q/A afterwards.


Post has attachment
Cross-site scripting attacks are a thing, really, and I had the opportunity to discuss them at +CSSConf EU this year. I've wrapped up the video and slides at Please do take a look, I think it'll be a half-hour of your life well-spent.

Video: [ 2013] Mike West - XSS. (No, the _other_ "S")


Special thanks to +Mario Heiderich  from whose wonderful paper "Scriptless Attacks - Stealing the Pie Without Touching the Sill", I stole most of the talk's attack-based content:

Post has attachment
Frontend Security is a wrap-up of slides, video, and an annotated transcript of my "Frontend Security" talk from last month's Frontend Conference in Zürich.

I'm quite happy with how the presentation turned out; I think there's a good bit of useful information there, and a bunch of links to articles I think are well worth reading.

Take a few minutes to follow along at home: you won't be disappointed.

(Thanks to Google's transcription budget (yay!), and +Brad Hill, whose "Odysseus and the Sirens" metaphor I've once again stolen wholesale: love it!)

Post has attachment
Useless error messages (in Blink) considered harmful.

+Erik Arvidsson landed a heroic series of patches recently to make Blink capable of generating exceptions with actually useful messages, as opposed to the generic "SecurityError: An attempt was made to break through the security policy of the user agent."-style uselessness. Now that we're capable of having decent error messages, there's a long slog ahead of us through hundreds of callsites. I'd appreciate your help prioritizing things. is a ~3 question survey. If an error message (or lack thereof!) has made you rip your hair our recently, tell me about it. Bonus points if you can help me reproduce it so I can write a test!

You can follow along at home by starring, where I'll be filing bugs that you folks report. If you add your email address to the form, I'll even CC you on the bug. That's service!

Thanks for your time. It'll make Blink better for everyone. :)

Post has attachment
Some nice improvements to 'window.onerror' in Blink.

After working with Blink's implementation of `window.onerror` over the last week or so, I'm a bit surprised that anyone ever used it for anything useful at all. The good news is that a few nice improvements have landed recently that should make your life simpler. I've highlighted a few at

Two of those are interesting enough to pull out here:

1. An 'error' parameter has been added to both the 'window.onerror' handler, and to the 'ErrorEvent' interface. This means that you can grab the actual exception that was thrown and process the stack trace, which is a huge win:

2. Blink no longer sanitizes the exception details for scripts loaded with a 'crossorigin' attribute, and served with appropriate CORS headers. This means that you can serve scripts from a CDN (as you ought!), but still get relevant details when reporting errors: Important to note, however, is that you'll need to do some good testing here. If the server doesn't send the right headers, scripts loaded with a 'crossorigin' attribute will fail to load entirely.

I'd appreciate you folks running out and banging on these features in Canary. The 'error' object is already out in today's Canary, and CORS support should be popping out tomorrow or early next week, depending on how things go. I expect there to be edge cases I missed, so feedback is much appreciated. :)

File bugs at, and ping me with the bug IDs. I'll make sure to take a look.

Thanks to +Adam Barth+Christophe Dumez, +Michael Starzinger, +Jochen Eisinger, +Adam Klein, +Yang Guo, and Dan Doesntusegoogleplus for going over the patches with a fine-toothed comb before they landed. :)

Post has attachment
This presentation from Velocity 2012 is very well prepared argument for analyzing the outliers in your performance data. If you have ~19 minutes to spare, take a look. I think you'll enjoy it.

(Hat tip to +William Chan for the link on blink-dev)

Velocity 2012: John Rauser, "Investigating Anomalies"

Post has attachment
I'm slowly sliding back into The World Out There™ after a few weeks of paternity leave with these three lovely ladies. If you've sent me an email in the last two months or so that I haven't replied to (and it's still relevant?), you can safely assume I'm never going to see it. Please send it again. :)
Animated Photo
Wait while more posts are being loaded