arturjanc

icon indicating a website link https://arturjanc.com

icon company Google icon location Zurich, Switzerland icon location I work on the security and privacy of the web platform and manage a chunk of the Information Security Engineering team at your favorite search engine.

Results 5 issues of arturjanc

The "Root cause of XS-Leaks" section is a bit hard to understand

I've been thinking about proposing some updates to the "Root cause" section, but I'm having some trouble understanding the main points it tries to convey. Basically, it starts by describing...

improvement

Consider changing the example on the Introduction page

2 comment

The XS-Leak described in the main example has the drawback of requiring cookies to be present on cross-site resource loads, and at this point both Safari and Chrome don't attach...

improvement

Allowing top-level communication for cross-origin isolated documents

85 comment

The current model of cross-origin isolation is incompatible with federated sign-in flows based on popups. Any popup opened by a document with a COOP of `same-origin` will not be able...

topic: cross-origin-opener-policy
topic: cross-origin-embedder-policy

Nonces for <base>

5 comment

Currently, section §2.6.4 allows same-origin base URIs, but bans cross-origin ones. This could be problematic in the case of the server redirecting parts of its URL space to cross-site endpoints...

Prevent browsing history detection

3 comment

This problem is partly discussed by https://github.com/WICG/floc/issues/36 and is related to https://github.com/WICG/floc/issues/38#issuecomment-773260972 but I want to make the threat scenario more explicit. The security section in the explainer mentions _[revealing...