In Case You Missed It

A random collection of noteworthy links: Spartan PM Jacob Rossi wrote about the new Project Spartan rendering engine. Spartan Developer Justin Rogers has a great new blog on development in general, including some tantalizing posts on evolving the Spartan codebase. Windows 10 build 9926 has been released; Spartan is not yet in it, but you…

1

HTTPS In 2015

Last week at the CodeMash conference, I delivered a session titled HTTPS in 2015: Securing your websites and services using HTTPS has never been more important, or more complicated. In this talk, a former browser Security Program Manager covers the best practices for using HTTPS today. Topics covered in this session include ciphers and hash…

1

Compressing the Web

Be succinct. Virtually any network-based application can be made faster by optimizing the number of bytes transferred across the network. Taking advantage of caching is a great way to minimize transfer sizes, but just as important is to reduce the size of the resources you transfer. Data compression is used throughout the protocols and formats…

5

Strict Transport Security

Ivan Ristic’s meticulously researched Bulletproof SSL & TLS book spurred me to spend some time thinking about the HTTP Strict Transport Security (HSTS) feature under development by the Internet Explorer team and already available in other major browsers. HSTS enables a website to opt-in to stricter client handling of HTTPS behavior. Specifically: All HTTP connections to…

2

RFCs for HTTP/1.1 Updated

After years of effort, the HTTPBIS working group of the IETF has completed revisions of the venerable RFC2616 that defines the HTTP/1.1 protocol. These revisions clarify ambiguous sections of the original, deprecate problematic features, and reflect real-world implementation experiences. There’s a quick summary of the updates here. The specification has been broken up into six…

0

IE11 Changes

In the past, I’ve published “Minor changes” lists for IE9 and IE10. The goal of those lists was to briefly document changes that might not be recorded elsewhere. This time around, I’m aiming to provide broader coverage of changes in IE11, including major new features and APIs. While this won’t be the best place to…

20

Brain Dump: International Text

Note: The “brain dump” series is akin to what the support.microsoft.com team calls “Fast Publish” articles—namely, things that are published quickly, without the usual level of polish, triple-checking, etc. I expect that these posts will contain errors, but I also expect them to be mostly correct. I’m writing these up this way now because they’ve…

1

Same Origin Policy Part 2: Limited Write

In Part 1 of this series, I described how Same Origin Policy prevents web content delivered from one origin from reading content from another origin. (If you haven’t read that post yet, please do start there.) In today’s post, we’ll look at what restrictions are placed on writing between origins. What is a “Write”? For…

4

Pushing the Web Forward with HTTP/308

Recently, the IESG approved publication of a new Internet-Draft defining the HTTP/308 status code (Intended Status: Experimental). This status code is defined as the “Permanent” variant of the existing HTTP/307 status code. Recall that HTTP/307 was defined back in 1999 to remove the ambiguity around the HTTP/301 and HTTP/302 redirection codes, for which many user-agents would change…

1

HTTP Methods and Redirect Status Codes

This crossed my Twitter stream earlier today: I’m not sure why we need a public service announcement to notify folks that Internet Explorer is behaving properly, but I guess there’s no harm in that. However, based on the lack of information provided, and the implication that this is surprising, I think the original actually poster…

9