Tender Surrender
A blog dreaming of the future of the web
-
SharedArrayBuffer and the transitional story of cross-origin isolation
2021/12/26: Safari also now supports
SharedArrayBufferusing COOP/COEP from version 15.2, so we have changed the notation in the relevant section.This is a long article, so I'll start with the conclusion.
Chrome, Firefox, and Safari now support
SharedArrayBufferand high-resolution timers. To do so, enable cross-origin isolation, which sends the following two headers to the parent HTML document:Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-originHowever, there are various conditions and restrictions to enable this, and many sites will struggle at this stage. If you just want to continue using Chrome as usual for the time being, it may be a safe option to sign up for the Deprecation Trial and see how it goes for a while.
Read more... -
The Spectre threat and the headers websites should set
This is a long article, so I'll start with the conclusion.
The emergence of Spectre has increased the security requirements for websites. Specific measures required are as follows:
- All resources should use the
Cross-Origin-Resource-Policyheader to control loading into cross-origin documents. - HTML documents should include the
X-Frame-Optionsheader or theContent-Security-Policy(CSP) header with theframe-ancestorsdirective to control embedding in an iframe in a cross-origin page. - HTML documents should include the
Cross-Origin-Opener-Policyheader to control communication with cross-origin pages when opened as a popup window. - All resources should include appropriate
Content-TypeandX-Content-Type-Options: nosniffheaders to prevent malicious cross-origin loading.
- All resources should use the
-
It's been 10 years since I joined Google.
Today marks exactly 10 years since I joined Google as a Developer Advocate, a position focused on educating people about technology. I rarely blog about non-technical topics, but this is a good milestone, so I wanted to take this opportunity to record it.
Read more... -
How a password-free world is possible - Learn the basics of FIDO2 and WebAuthn
Password-related incidents, such as fraudulent money transfers and account hijacking, are a constant occurrence. While the ideal world would be one in which even people with low IT literacy, such as the elderly, could easily and securely manage their online accounts, the history of the Internet has proven that the first priority is to realize a world without passwords. Recently, FIDO (Fast IDentity Online) has been gaining attention as a technology that will enable password-free logins. WebAuthn (Web Authentication) makes FIDO accessible from a browser. Based on reports, some may believe that these technologies are designed to achieve fingerprint authentication, but in reality, that's not quite the case.
Numerous articles have already been published about WebAuthn, so I will leave the technical details of how to use it to those articles. In this article, I will explain the big picture and the big vision of how this technology will change identity in the future.
Read more... -
So, are PWAs coming or not?
I came across this article on Twitter yesterday:
Any engineers who say PWA is coming, quit now
"Instagram's PWA is amazing! It's indistinguishable from native!" I heard some Google evangelist or engineer raving about it, so I gave it a try, but it was outdated."
Could this be it?
Instagram PWA is so impressive. I probably won't be able to distinguish it from its native app.
— Eiji Kitamura / えーじ (@agektmr) January 26, 2018
Instagram's PWA is so impressive. I'm not sure I can distinguish it from its native app. pic.twitter.com/DS8TfceBZ6Admittedly, this statement may have been a bit provocative, but when it comes to Instagram's PWA, the scrolling experience, the ability to apply filters when posting, etc., I honestly thought, "I'm not sure I can tell the difference from a native app," and that was my first impression when I used it, and I still enjoy using it today.
However, at the time of this tweet, I had not yet tried all of the features, and there were some differences that I noticed later. Please don't get me wrong, of course, I am not saying that native apps are unnecessary. In fact, I would like to take this opportunity to explain PWA a little more.
Read more...