Tender Surrender

2023 has undoubtedly become the "first year of passkeys." With so many services supporting passkeys, 2024 is likely to be the year when passkeys finally become widespread.

In this article, we will review the basics of passkeys and explain some common misconceptions about passkeys.

Passkeys are a new authentication method that is resistant to phishing and easy to use even for non-tech-savvy users, and are said to eventually replace passwords. In this article, we'll summarize the basics of passkeys and what they mean for the future of the web.

This is a long article, so I'll start with the conclusion.

Chrome, Firefox, and Safari now support SharedArrayBuffer and high-resolution timers. To do so, enable cross-origin isolation, which sends the following two headers to the parent HTML document:

Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin

However, there are various conditions and restrictions to enable this, and many sites will struggle at this stage. If you just want to continue using Chrome as usual for the time being, it may be a safe option to sign up for the Deprecation Trial and see how it goes for a while.

This is a long article, so I'll start with the conclusion.

The emergence of Spectre has increased the security requirements for websites. Specific measures required are as follows:

• All resources should use the Cross-Origin-Resource-Policy header to control loading into cross-origin documents.
• HTML documents should include the X-Frame-Options header or the Content-Security-Policy (CSP) header with the frame-ancestors directive to control embedding in an iframe in a cross-origin page.
• HTML documents should include the Cross-Origin-Opener-Policy header to control communication with cross-origin pages when opened as a popup window.
• All resources should include appropriate Content-Type and X-Content-Type-Options: nosniff headers to prevent malicious cross-origin loading.

Today marks exactly 10 years since I joined Google as a Developer Advocate, a position focused on educating people about technology. I rarely blog about non-technical topics, but this is a good milestone, so I wanted to take this opportunity to record it.