Simon Willison’s Weblog

Subscribe

73 items tagged “browsers”

2009

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari. You just can’t trust browser security: Current versions of Safari, IE8 and Firefox all fell to zero-day flaws at an exploit competition. None of the vulnerabilities have been disclosed yet. # 19th March 2009, 3:30 pm

CSRF is not a security issue for the Web. A well-designed Web service should be capable of receiving requests directed by any host, by design, with appropriate authentication where needed. If browsers create a security issue because they allow scripts to automatically direct requests with stored security credentials onto third-party sites, without any user intervention/configuration, then the obvious fix is within the browser.

Roy Fielding # 23rd January 2009, 8:14 am

2008

Getting OpenID Into the Browser. David Recordon makes the case for online identity management as a key browser feature (I like the “your browser is currently locked” concept), and argues that Gears is in a great position to deliver it. # 3rd December 2008, 10 am

The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs. # 19th November 2008, 8:40 am

and now... Opera. Jon Hicks is joining Opera as Senior Designer. I absolutely cannot wait to see what he comes up with there. # 9th October 2008, 6:39 pm

The greatest coup Microsoft pulled with Internet Explorer was putting the word “Internet” in its name. It sits there, on the desktop of every new Windows computer, and it says “Internet”. So you click it. [...] What better way to beat a browser with the word “Internet” in its name—a browser that seemingly can’t be beat no matter how hard we try—than the Internet Company itself making a browser?

Tom Armitage # 3rd September 2008, 10:19 am

Chromium. Google Chrome is out! Here’s the open source project, including the code for the new V8 JavaScript virtual machine. # 2nd September 2008, 9:06 pm

A browser sniffing warning: The trouble with Acid3 and TinyMCE. Opera recommend “bug detection”, a step up from object detection and browser sniffing where your JavaScript includes mini unit test style fragments of code designed to test if buggy behaviour you are working around still affects the user’s browser. # 4th July 2008, 8:24 am

When Bugs Collide: Fixing Text Dimming in Firefox 2. Handy tips from Drew on fixing the glitchy text rendering in Firefox 2 when you animate opacity without breaking alpha-transparent PNGs in IE6. # 19th June 2008, 6:09 pm

If we see good usage, we can work with browser vendors to automatically ship these libraries. Then, if they see the URLs that we use, they could auto load the libraries, even special JIT’d ones, from their local system. Thus, no network hit at all!

Dion Almaer # 27th May 2008, 5:58 pm

Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types. # 14th April 2008, 8:18 am

Happy Run Some Old Web Browsers Day! jwz has recreated home.mcom.com, the original home of the Mosaic Communications Corporation, using a snapshot from 21st October 1994 and a domain borrowed from current owner AOL. Also includes instructions on running 1994 Mosaic Netscape binaries under a modern Linux distro. # 31st March 2008, 5:54 pm

Ian’s Acid 3, unlike its predecessors, is not about establishing a baseline of useful web capabilities. It’s quite explicitly about making browser developers jump—Ian specifically sought out tests that were broken in WebKit, Opera, and Gecko, perhaps out of a twisted attempt at fairness. But the Acid tests shouldn’t be fair to browsers, they should be fair to the web; they should be based on how good the web will be as a platform if all browsers conform, not about how far any given browser has to stretch to get there.

Mike Shaver # 27th March 2008, 1:35 pm

Opera and the Acid3 Test. Screenshot shows 100/100 (live code or it didn’t happen!)—Opera’s codebase must be in extremely good shape to fix so many issues so quickly. # 26th March 2008, 10:47 pm

IE8 speeds things up. Steve Souders notes that IE8 downloads script files in parallel before executing them sequentially, giving it a significant speed boost over other browsers that download sequentially. # 11th March 2008, 5:42 am

Sunsetting Quirks Mode. Apparently proper standards support in IE (or at least the IE8 renderer) will be triggered by the HTML5 doctype, providing an alternative to those who don’t wish to pollute their markup with an IE-specific meta tag. # 23rd January 2008, 2:56 pm

Legacy. James Bennett has what I think is the most interesting analysis of the X-UA-Compatible header to date. # 23rd January 2008, 2:14 pm

If Web authors actually use this feature, and if IE doesn’t keep losing market share, then eventually this will cause serious problems for IE’s competitors — instead of just having to contend with reverse-engineering IE’s quirks mode and making the specs compatible with IE’s standards mode, the other browser vendors are going to have to reverse engineer every major IE browser version, and end up implementing these same bug modes themselves.

Ian Hickson # 23rd January 2008, 10:07 am

<META HTTP-EQUIV="X-BALL-CHAIN">. Mozilla hacker Robert O’Callahan discusses the technical implications of freezing copies of older rendering engines, including the increased footprint and the terrifying prospect of documents in different rendering modes communicating through iframes and the DOM. # 22nd January 2008, 6:55 pm

The versioning switch is not a browser detect. PPK: “In other words, the versioning switch does not have any of the negative effects of a browser detect.” # 22nd January 2008, 4:34 pm

Like DOCTYPE switching did in 2000, version targeting negates the vendor argument that existing behaviors can’t be changed for fear of breaking web sites. If IE8 botches its implementation of some CSS property or DOM method, the mistake can be fixed in IE9 without breaking sites developed in the IE8 era. This actually makes browser vendors more susceptible to pressure to fix their bugs, and less fearful of doing so.

Eric Meyer # 22nd January 2008, 2:24 pm

Beyond DOCTYPE: Web Standards, Forward Compatibility, and IE8. This has huge implications for client-side web developers: IE 8 will include the ability to mark a page as “tested and compatible with the IE7 rendering engine” using an X-UA-Compatible HTTP header or http-equiv meta element. It’s already attracting a heated debate in the attached discussion. # 22nd January 2008, 12:40 pm

2007

Safari CSS Reference. Official documentation covering the CSS properties supported by Safari, including the -webkit proprietary extensions. # 22nd November 2007, 11:51 pm

CSS3 and the death of Handheld Stylesheets. I hadn’t looked at CSS 3 media queries before (which let you apply different styles based on media features such as screen width, height and colour availability)—they seem like a much smarter solution that handheld stylesheets and also appear to be preferred by device vendors. # 16th November 2007, 9:53 am

CSS Transforms. WebKit can now do transforms (scale, rotate, translate and skew) in CSS via a new -webkit-transform property. Transforms behave like position relative in that they don’t affect the layout of the page. You can also provide a full affine transform matrix as a shortcut. # 26th October 2007, 9:45 pm

Tabula Fracta. Mozilla hacker Robert O’Callahan offers advice for anyone aiming to create a new rendering engine from scratch. The WHATWG’s work on specifying real-world browser behaviour and error models gets a well deserved mention. # 9th October 2007, 1:20 am

Native DOMContentLoaded is coming to Safari. I filed this bug over two years ago. They’ve just committed the resulting patch to trunk. # 8th October 2007, 1:07 am

Seeking market share, Microsoft removes WGA anti-piracy check from IE7. Hopefully this will accelerate the rise of IE7 over IE6. # 5th October 2007, 11:55 pm

Multi-Safari. Lets you run multiple versions of Safari on the same Mac. As with the multi-IE hacks, all versions use the same underlying HTTP libraries (which belong to the OS) so the simulation isn’t entirely accurate. # 5th October 2007, 11:51 pm