GitHub - WICG/connection-allowlists Contribute to WICG/connection-allowlists development by creating an account on GitHub.

FWIW, CSP is the best thing you can use today, but it's not really built for exfiltration mitigation. We're working on github.com/wicg/connect... with that specific threat model in mind.

No spoilers!

I think @arw.me has an electric coffee mug (Ember?) keeping his beverage at a reasonable temperature for some extended period. Perhaps he could pass on a recommendation?

Have you considered writing more about potatoes?

On the other hand, knocking down fences is fun, while understanding why fences are there is usually not fun. :(

Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.

There's a good blog post from @april.social about cookie parsing: grayduck.mn/2024/11/21/h...

And I guess it's time to dust off my broader, 2010 rant about the same:
lcamtuf.blogspot.com/2010/10/http...

Some things have improved, but cookies are still a bit of a design fail.

Do you, like me, periodically need to produce a base64-encoded SHA-2 hash of some text? Have you found existing online generator tools to be slightly annoying in some minor way that doesn't precisely fit your workflow? Well, here's another that will annoy you in _different_ ways:

sha2.it

You're entirely right. The promises signatures can make are different in kind, but hopefully no less useful. wicg.github.io/signature-ba... and wicg.github.io/signature-ba... get at the distinctions to some extent, and I'd welcome additions to those descriptions.

It's unfortunate that this is _also_ the way to discover whether food is untasty.

Security Signals: Making Web Security Posture Measurable At Scale

Happy to publish the effort of my last five years: Security Signals.

research.google/pubs/securit...

wicg.github.io/signature-ba... seems likely to depend on this mechanism; it's going to be necessary to spell out unambiguous approaches to those decision points that make it clear how to generate and validate signatures in a consistent way on both the server and the client.

I'm skimming RFC9421's signing and validation algorithms for reasons, and it seems like the spec provides way more room for confusion about what's being signed than I'd prefer, with guidance like "Determine an order for any signature parameters...". How? 🤷

www.rfc-editor.org/rfc/rfc9421....

The 2024 HTTP Workshop Day one. For the sixth time, this informal group of HTTP implementers and related "interested parties" unite in a room over a couple of days doing a HTTP Workshop. Nine years since that first event in...

Daniel Stenberg's notes from this week's HTTP Workshop are a nice way of catching up on smart folks' thoughts about the present and future of your favorite transport protocol:

Day 1: daniel.haxx.se/blog/2024/11...

Day 2: daniel.haxx.se/blog/2024/11...

Day 3: daniel.haxx.se/blog/2024/11...

I set up this account, then nerdsniped myself right past the process of crafting a witty and enticing "Hello, world!" post to instead spend a few minutes trying to figure out whether Bluesky supported security keys rather than email for 2FA.

It apparently doesn't. 🤷