My writings online

Related origins allow websites that change domains over time or that operate across many to share the same passkeys. Browsers should support it later this year, which may solve the passkey problem X / Twitter has.

PCI DSS V4 has new requirements to prevent web skimming on payment pages. Here is how I am tackling that requirement with content security policies and subresource integrity.

Software releases can be fast, predictable, and high quality when engineered with anxiety and empathy. This approach works well for individuals that own the research, development, and release of software.

Audience verification is an important check to prevent tokens intended for other services being used against yours. I fixed a vulnerability with Facebook tokens.

Erik Paul Nielsen has passed. He supported and influenced me professionally.

A new experimental WebAuthn extension enables web technologies to offload key material sourcing and storage to affordable security keys. Inside is a demonstration of the draft WebAuthn PRF extension.

A quick note to self: How to convert TTF fonts to WOFF2 with specific unicode ranges

Starting up a new blog! I might have a few interactive experiments here and there. To start, here's some JS that generates a copyable password! Also, it turns out CSP can't stop browser extensions. Be warned.

I have a basic RSS Feed if you wish to subscribe.