We've improved our implementation of this feature, and are trying preflights again in Chrome 102 (which started rolling out yesterday). With luck, servers will be a little more tolerant of OPTIONS requests then they were the first time around... :)

#SecWeb on May 25 (co-located with S&P) has an exciting keynote speaker lineup with @arturjanc and Yinzhi Cao. Need a reason to go? Submit your papers until Feb 24 (see https://t.co/EgfQKh4iXR)!

We're about two weeks out from the next WebAppSec WG call, which means it's a good time to start pulling an agenda together. If you have thoughts on topics we ought to be paying attention to, https://t.co/ki6wg7Qv2i would be a great place to note them.

You can test this for yourselves by enabling the chrome://flags/#origin-agent-cluster-default flag. Ideally, you'd remove the dependency on `document.domain`! But if that's difficult, you can opt-into enabling it by sending an `Origin-Agent-Cluster: ?0` header.

Some clever folks will get together in Munich (and beyond) this December to talk about this problem space at a W3C workshop on permissions. You're cordially invited to join that conversation, and submit a (very short!) position paper:

The web's permission prompts are the least we can possibly do to mediate the conversation about sites' capability between developers and users. They're necessary today, but they're not great: we can clearly do better. https://t.co/oYK01W8Wq8

An interesting info leak that (among other things) shows why using cookie name prefixes (`__Secure-` and `__Host-`) continue to be a solid recommendation.

This is going to be depressing, isn't it?

"Burritos > Banks" shall henceforth be the canonical response whenever someone says "bank-grade security" un-ironically.

Hey folks! If you don’t know me, I’m the CISO of @Twitter – I run the information security, privacy engineering, and IT teams. We’ve got a bunch of roles open across infosec, privacy eng + legal, and IT. Come help Twitter build great things which respect our users! 🧵

That said, my most important takeaway from the podcast is that I should probably start pronouncing "nonce" as "N once".

This is a fantastic technical description of passkeys. @agl__ is an excellent communicator.

New V8 Sandbox design document on how to sandboxify pointers to objects outside the sandbox such as DOM nodes ("external pointers"):

@JanesDueProcess @PPGreaterTX @Plancpills (I might or might not have made these donation in honor of Samuel Alito.)

Today, I donated to @JanesDueProcess, @PPGreaterTX, and @Plancpills. It feels like something, though it's clearly not enough.

The news coming out of the United States is horrific. My heart goes out to the millions of American women who are now set to lose their legal right to an abortion. I can’t imagine the fear and anger you are feeling right now.

Just in case you (like I!) briefly worried that the CSSWG had snuck script execution in while no one was looking, they didn't. This is a misleading demo that jams the parsing/binding into <head> rather than showing it in the JS section of the codepen: https://t.co/PiBH0HGkhp.

If you're looking for more information about what this might mean for you and your servers, the spec lives at https://t.co/BbwEC1SRgK, and https://t.co/IpGMcaVBHC provides an excellent introduction.