Tender Surrender

This is a long article, so I'll start with the conclusion.

Chrome, Firefox, and Safari now support SharedArrayBuffer and high-resolution timers. To do so, enable cross-origin isolation, which sends the following two headers to the parent HTML document:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

However, there are various conditions and restrictions to enable this, and many sites will struggle at this stage. If you just want to continue using Chrome as usual for the time being, it may be a safe option to sign up for the Deprecation Trial and see how it goes for a while.

This is a long article, so I'll start with the conclusion.

The emergence of Spectre has increased the security requirements for websites. Specific measures required are as follows:

• All resources should use the Cross-Origin-Resource-Policy header to control loading into cross-origin documents.
• HTML documents should include the X-Frame-Options header or the Content-Security-Policy (CSP) header with the frame-ancestors directive to control embedding in an iframe in a cross-origin page.
• HTML documents should include the Cross-Origin-Opener-Policy header to control communication with cross-origin pages when opened as a popup window.
• All resources should include appropriate Content-Type and X-Content-Type-Options: nosniff headers to prevent malicious cross-origin loading.

Today marks exactly 10 years since I joined Google as a Developer Advocate, a position focused on educating people about technology. I rarely blog about non-technical topics, but this is a good milestone, so I wanted to take this opportunity to record it.

Password-related incidents, such as fraudulent money transfers and account hijacking, are a constant occurrence. While the ideal world would be one in which even people with low IT literacy, such as the elderly, could easily and securely manage their online accounts, the history of the Internet has proven that the first priority is to realize a world without passwords. Recently, FIDO (Fast IDentity Online) has been gaining attention as a technology that will enable password-free logins. WebAuthn (Web Authentication) makes FIDO accessible from a browser. Based on reports, some may believe that these technologies are designed to achieve fingerprint authentication, but in reality, that's not quite the case.

Numerous articles have already been published about WebAuthn, so I will leave the technical details of how to use it to those articles. In this article, I will explain the big picture and the big vision of how this technology will change identity in the future.

I came across this article on Twitter yesterday:

Any engineers who say PWA is coming, quit now

"Instagram's PWA is amazing! It's indistinguishable from native!" I heard some Google evangelist or engineer raving about it, so I gave it a try, but it was outdated."

Could this be it?

Instagram PWA is so impressive. I probably won't be able to distinguish it from its native app.
Instagram's PWA is so impressive. I'm not sure I can distinguish it from its native app. pic.twitter.com/DS8TfceBZ6

— Eiji Kitamura / えーじ (@agektmr) January 26, 2018

Admittedly, this statement may have been a bit provocative, but when it comes to Instagram's PWA, the scrolling experience, the ability to apply filters when posting, etc., I honestly thought, "I'm not sure I can tell the difference from a native app," and that was my first impression when I used it, and I still enjoy using it today.

However, at the time of this tweet, I had not yet tried all of the features, and there were some differences that I noticed later. Please don't get me wrong, of course, I am not saying that native apps are unnecessary. In fact, I would like to take this opportunity to explain PWA a little more.