annotating the internet

archivebay

Latest

Text

Mike West works and plays on the internet. Currently working as a

software engineer on Google's Chrome team in Munich, he tries to make

the web platform marginally less insecure than it generally is. Drop

him an email at mike@mikewest.org follow him on Twitter

or circle him on Google+

MIKE WEST

builds websites that (on their best days) _delight_ & _inform_. He

does it well.

RECENT WRITING

* Web Platform Security @ CMS Security Summit 2020

February 10, 2020

This is a quick summary of a presentation I gave last week at

Google’s second CMS Security Summit, held here in Munich. TL;DR:

Injection attacks are bad, isolation is lacking, and I’m looking

forward to more collaboration on both fronts.

* XSS (No, the _other_ 'S') - CSSConf EU 2013

September 24, 2013

I had the distinct pleasure of talking with folks at this year’s

CSSConf EU about the dangers of content-injection attacks. They’re

not just for JavaScripters, you see: CSS is dangerous too! They’ve

just posted the video, and I think it’s worth a little under a

half-hour of your time to skim through.

* Frontend Security - Frontend Conference, Zürich 2013

September 09, 2013

Last week, I was in Zürich to chat about client-side security. Here,

I’ve wrapped up an annotated transcript, along with the slides and

video. I’m pretty happy with how the talk turned out: I think it’s

a good representation of what I think is important in frontend

security, and worth your time to peruse.

* Debugging runtime errors with 'window.onerror' in Blink

August 08, 2013

After working with Blink’s implementation of window.onerror a little

bit over the last week or so, I’m somewhat amazed that anyone ever

used it for anything at all. Happily, we’ve made some big

improvements in the last week or two that I think it’s worth

highlighting here.

* Securing the Client Side

February 25, 2013

At the end of last year, I presented ‘Securing the Client Side’ at

Devoxx, and I’ve been meaning to put together a more accessible

version of the talk for those who weren’t there. I think the topics

are important, and worth the effort of updating this site for the

first time in a year. _cough_.

* Content Security Policy: Feature Detection

May 02, 2012

AngularJS has recently implemented support for Content Security Policy

that restricts the use of eval(), new Function(), and other such

text-to-JS conduits. This is a huge win, as CSP is one of the best

protections modern browsers provide against XSS attacks. However,

Angular’s implementation reveals a need for feature detection that

the spec currently doesn’t address. This is my proposal for such an

API.

* Chrome connects to three random domains at startup.

February 18, 2012

When you start Chrome, it attempts to connect to three random domains.

I’ve seen a few theories about why exactly this happens that brush

up against the nefarious. The true rationale is incredibly mundane:

hopefully this short summary will clear things up.

* Nerdy New Year

December 31, 2011

New Year’s resolutions come in all shapes and sizes; if you’re a

web developer stuck for good ideas of things you could do to improve

the world (or at least the tiny chunk of it that’s concerned with

web performance and security) I’d like to propose two: secure all

your websites, and use a cookieless domain for static assets.

* Making Your Web Apps Accessible Using HTML5 and ChromeVox

December 16, 2011

Back in November, I presented twice at the Google Developer Day in

Tel-Aviv. The first of those talks has been uploaded, and I spent most

of the afternoon transcribing it to post here. I wanted to give the

audience (you!) an introduction to screen readers, and to building

accessible websites and applications. I think it was pretty

successful, and I hope you enjoy it if you watch at home.

* GDD Keynote: The HTML5 Demos

November 21, 2011

I had the opportunity to present a few demos during the Chrome section

of Saturday’s Google Developer Day in Berlin (which, incidentally,

was a blast). I expect a video to go up at some point in the vaguely

near future, but, since I got more than a few questions about it,

I’m throwing the links up here as a stopgap before the video’s

released.

site's content is available for non-commercial reuse .

Enjoy!

Source

<!DOCTYPE html><html lang="en" dir="ltr"><head>
    <meta charset="utf-8">
    <title>
        
        
            Mike West is a Web Developer in Munich
        
    </title>
    
<meta http-equiv="x-dns-prefetch-control" content="on">
<link rel="dns-prefetch" href="//ssl.google-analytics.com">

</head>
  <body>
    <address class="vcard">
  <p>
    <a href="/" class="fn" rel="home">Mike West</a>
    <span>
      works and plays on the internet. Currently working as a software
      engineer on Google's Chrome team in Munich, he tries to make the web
      platform marginally less insecure than it generally is. Drop him an
      email at
    </span>
    <a href="mailto:mike@mikewest.org" title="Drop me an email." class="email icon">mike@mikewest.org</a>
    <span>
      follow him on
    </span>
    <a href="http://twitter.com/mikewest" rel="me" title="Follow me on Twitter" class="twitter icon">Twitter</a>
    <span>
      or circle him on
    </span>
    <a href="https://plus.google.com/104437754419996754779/" rel="me" title="Circle me on Google+" class="plus icon">Google+</a>
  </p>
</address>

<section class="bio">
  <h1><a href="/is">
      <img src="/static/images/mikewest.jpg" alt="" width="420" height="270">
      Mike West
  </a></h1>
  <p>
    builds websites that (on their best days)
    <em>delight</em> <span class="amp">&amp;</span>
    <em>inform</em>.  He does it well.
  </p>
</section>
<section role="main" class="recent">
  <h2>Recent <a href="/archive" rel="archive">Writing</a></h2>
  <ol class="hatom">

<li class="hentry"><article>
      <a href="/2020/02/cms-security-summit-2020/" class="entry-title" rel="bookmark">Web Platform Security @ CMS Security Summit 2020</a>
      <div class="meta">
        <time class="published updated" datetime="2020-02-10" pubdate="">February 10, 2020</time>
      </div>
      <div class="entry-summary">
        <p>This is a quick summary of a presentation I gave last week at Google’s second CMS Security Summit, held here in Munich. TL;DR: Injection attacks are bad, isolation is lacking, and I’m looking forward to more collaboration on both fronts.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2013/09/xss-no-the-other-s-cssconfeu-2013/" class="entry-title" rel="bookmark">XSS (No, the _other_ 'S') - CSSConf EU 2013</a>
      <div class="meta">
        <time class="published updated" datetime="2013-09-24" pubdate="">September 24, 2013</time>
      </div>
      <div class="entry-summary">
        <p>I had the distinct pleasure of talking with folks at this year’s CSSConf EU about the dangers of content-injection attacks. They’re not just for JavaScripters, you see: CSS is dangerous too! They’ve just posted the video, and I think it’s worth a little under a half-hour of your time to skim through.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2013/09/frontend-security-frontendconf-2013/" class="entry-title" rel="bookmark">Frontend Security - Frontend Conference, Zürich 2013</a>
      <div class="meta">
        <time class="published updated" datetime="2013-09-09" pubdate="">September 09, 2013</time>
      </div>
      <div class="entry-summary">
        <p>Last week, I was in Zürich to chat about client-side security. Here, I’ve wrapped up an annotated transcript, along with the slides and video. I’m pretty happy with how the talk turned out: I think it’s a good representation of what I think is important in frontend security, and worth your time to peruse.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2013/08/debugging-runtime-errors-with-window-onerror/" class="entry-title" rel="bookmark">Debugging runtime errors with 'window.onerror' in Blink</a>
      <div class="meta">
        <time class="published updated" datetime="2013-08-08" pubdate="">August 08, 2013</time>
      </div>
      <div class="entry-summary">
        <p>After working with Blink’s implementation of <code class="highlighter-rouge">window.onerror</code> a little bit over the last week or so, I’m somewhat amazed that anyone ever used it for anything at all. Happily, we’ve made some big improvements in the last week or two that I think it’s worth highlighting here.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2013/02/securing-the-client-side-devoxx-2012/" class="entry-title" rel="bookmark">Securing the Client Side</a>
      <div class="meta">
        <time class="published updated" datetime="2013-02-25" pubdate="">February 25, 2013</time>
      </div>
      <div class="entry-summary">
        <p>At the end of last year, I presented ‘Securing the Client Side’ at Devoxx, and I’ve been meaning to put together a more accessible version of the talk for those who weren’t there. I think the topics are important, and worth the effort of updating this site for the first time in a year. <em>cough</em>.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2012/05/content-security-policy-feature-detection/" class="entry-title" rel="bookmark">Content Security Policy: Feature Detection</a>
      <div class="meta">
        <time class="published updated" datetime="2012-05-02" pubdate="">May 02, 2012</time>
      </div>
      <div class="entry-summary">
        <p>AngularJS has recently implemented support for Content Security Policy that restricts the use of <code class="highlighter-rouge">eval()</code>, <code class="highlighter-rouge">new Function()</code>, and other such text-to-JS conduits. This is a huge win, as CSP is one of the best protections modern browsers provide against XSS attacks. However, Angular’s implementation reveals a need for feature detection that the spec currently doesn’t address. This is my proposal for such an API.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2012/02/chrome-connects-to-three-random-domains-at-startup/" class="entry-title" rel="bookmark">Chrome connects to three random domains at startup.</a>
      <div class="meta">
        <time class="published updated" datetime="2012-02-18" pubdate="">February 18, 2012</time>
      </div>
      <div class="entry-summary">
        <p>When you start Chrome, it attempts to connect to three random domains. I’ve seen a few theories about why exactly this happens that brush up against the nefarious. The true rationale is incredibly mundane: hopefully this short summary will clear things up.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2011/12/nerdy-new-year/" class="entry-title" rel="bookmark">Nerdy New Year</a>
      <div class="meta">
        <time class="published updated" datetime="2011-12-31" pubdate="">December 31, 2011</time>
      </div>
      <div class="entry-summary">
        <p>New Year’s resolutions come in all shapes and sizes; if you’re a web developer stuck for good ideas of things you could do to improve the world (or at least the tiny chunk of it that’s concerned with web performance and security) I’d like to propose two: secure all your websites, and use a cookieless domain for static assets.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2011/12/transcript-gdd-accessibility-with-chromevox/" class="entry-title" rel="bookmark">Making Your Web Apps Accessible Using HTML5 and ChromeVox</a>
      <div class="meta">
        <time class="published updated" datetime="2011-12-16" pubdate="">December 16, 2011</time>
      </div>
      <div class="entry-summary">
        <p>Back in November, I presented twice at the Google Developer Day in Tel-Aviv. The first of those talks has been uploaded, and I spent most of the afternoon transcribing it to post here. I wanted to give the audience (you!) an introduction to screen readers, and to building accessible websites and applications. I think it was pretty successful, and I hope you enjoy it if you watch at home.</p>

</div>
    </article></li>

<li class="hentry"><article>
      <a href="/2011/11/gdd-keynote-the-html5-demos/" class="entry-title" rel="bookmark">GDD Keynote: The HTML5 Demos</a>
      <div class="meta">
        <time class="published updated" datetime="2011-11-21" pubdate="">November 21, 2011</time>
      </div>
      <div class="entry-summary">
        <p>I had the opportunity to present a few demos during the Chrome section of Saturday’s Google Developer Day in Berlin (which, incidentally, was a blast). I expect a video to go up at some point in the vaguely near future, but, since I got more than a few questions about it, I’m throwing the links up here as a stopgap before the video’s released.</p>

</div>
    </article></li>

</ol>
</section>

</body></html>