Freddy's Avatar

Freddy

@freddyb

manager/security things for Firefox. love my family, my bike and reading books. You can also find me on Mastodon as @freddy@security.plumbing, which I consider my primary account. Homepage: https://frederikbraun.de/

335
Followers 111
Following 73
Posts 12.06.2023
Joined
Posts Following

Latest posts by Freddy @freddyb

Next up, 'Improving the Trustworthiness of Javascript on the Web', presented by Michael Rosenberg, Giulio Berra, Ezzudin Alkotob, and Dennis Jackson

#realworldcrypto

09.03.2026 01:53 πŸ‘ 6 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0

OK, ok. I'll stop blogging for today. I promise.

07.03.2026 22:19 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Composing Sanitizer configurations (https://frederikbraun.de/composable-sanitizers.html): The HTML Sanitizer API allows multiple ways to customize the default allow list and this blog post aims to describe a few variations and tricks we came up with while writing the specification.

07.03.2026 23:18 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

hat-tip to @shhnjk.bsky.social πŸ€“

07.03.2026 22:11 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

New blog post: Perfect types with `setHTML()` - https://frederikbraun.de/perfect-types-with-sethtml.html - TLDR: Use require-trusted-types-for 'script'; trusted-types 'none'; in your CSP and nothing besides setHTML() works, essentially removing all DOM-XSS risks....

07.03.2026 22:36 πŸ‘ 11 πŸ” 3 πŸ’¬ 1 πŸ“Œ 0
HTML Sanitizer API browser support list with unsupported Safari being poked with a stick by the White Ninja meme

HTML Sanitizer API browser support list with unsupported Safari being poked with a stick by the White Ninja meme

c'mon Safari

03.03.2026 16:40 πŸ‘ 105 πŸ” 9 πŸ’¬ 0 πŸ“Œ 0
Preview
704: Sanitizer API with Frederik Braun We talk with Frederik Braun from Mozilla about the Sanitizer API, how it works with HTML tags and web components, what it does with malformed HTML, and where CSP fits in alongside the Sanitizer API…

I was invited to join the @shoptalkshow.com podcast and talk about my favorite topic. The HTML Sanitizer API and `setHTML()`. Give it a spin in your favorite podcast player :) shoptalkshow.com/704/

02.03.2026 16:46 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

we did a thing! Congrats to the team for getting this out.

24.02.2026 17:04 πŸ‘ 7 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

P.S. this account is write-only. I will only post announcements and blog post links. If you want to reach me, try mastodon or email m

17.01.2026 10:05 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

this is your regular reminder that centralized, single-ownership social media is doomed

17.01.2026 10:05 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Sponsor @jub0bs on GitHub Sponsors infosec enthusiast β€’ Go developer & trainer β€’ minimalist β€’ chaotic good β€’ trying to make sense of the Web β€’ he/him

⚑ I've been contributing micro-optimisations to Go's standard library in my spare time: github.com/golang/go/co...

πŸ’Έ I don't intend to stop any time soon, but if you benefit from my work and would like to support it, consider sponsoring me on GitHub: github.com/sponsors/jub...

#golang #OpenSource

30.08.2025 19:58 πŸ‘ 17 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0
OSCW 2026: Taipei, Taiwan :: Open Source Cryptography Workshop OSCW 2026 will take place 8 March 2026, the day before Real World Crypto

The Open Source Cryptography Workshop is returning for 2026, before Real World Crypto in Taipei. We are calling for session proposals, both presentations and hands-on workshops, on topics of interest to those who work on and with open source crypto. oscwork.shop/2026 #oscw #rwc #oscw2026 #rwc2026

06.01.2026 10:30 πŸ‘ 1 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

decoder hosted the session.

30.12.2025 19:02 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Oh noes. Well see you next time, I suppose? On the upside, the talk was recorded. :)

30.12.2025 19:01 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
[39c3] Lightning Talks - Tag 2 - **Lightning Talks Introduction** - **Chaos auf der Schiene: Die Wahrheit hinter den VerspΓ€tungen** β€” *poschi* - **EventFahrplan - The 39C3 Fahrplan App for Android** β€” *tbsprs* - **Quantum computing...

Hey #39c3. Come see my lightning talk on a safe variant for `.innerHTML ` that is built right into the browser. Tomorrow (day 2), at approximately 12:25 - events.ccc.de/congress/202...

27.12.2025 23:12 πŸ‘ 11 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0

Hey #39c3, chat me up if you want to talk about web security, browser security. I will be one of the tall dudes with a Firefox hoodie :)

27.12.2025 23:10 πŸ‘ 4 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

lol, bsky wanting everyone's my birthday.

Follow me on mastodon, you cowards.

12.12.2025 22:04 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

New blog post: Why the Sanitizer API is just `setHTML()` - https://frederikbraun.de/why-sethtml.html

07.12.2025 22:14 πŸ‘ 42 πŸ” 17 πŸ’¬ 0 πŸ“Œ 0

New blog post. Something off-topic to feed the search engine. A bug in Lego Star Wars: The Complete Saga (2007). https://frederikbraun.de/lego-star-wars-complete-saga-c3po-bug.html

07.12.2025 14:00 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Handling of `<a href="data:...">` Β· Issue #352 Β· WICG/sanitizer-api We allow anchors in the default configuration and only restrict javascript: URLs. data: URLs (especially inside an iframe) might look like XSS: https://x.com/KwanAleister/status/1985542748930523233...

We had a first good outcome already (via Twitter). While `data` URLs are not what I would consider an XSS in the page, I still see it as a confusion that we should address head on. We have an issue filed in github.com/WICG/sanitiz... :)

04.11.2025 15:53 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

(Terms and conditions apply. Bounty payouts are at the discretion of the bug bounty committee etc. etc. But yes. Bugs in the sanitizer are eligible.)

03.11.2025 19:53 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Video thumbnail

I don't know who needs a kitty headbutt right now, but here's one for you

03.11.2025 00:07 πŸ‘ 32 πŸ” 6 πŸ’¬ 0 πŸ“Œ 0

YES! :)

03.11.2025 19:49 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

Firefox nightly introduces the setHTML() method. Which is like a native DOMPurify. You can easily test it here:
portswigger-labs.net/mxss/

Set HTMLSanitizer βœ…
Auto update βœ…

I'm trying to break it, I encourage you to break it too

03.11.2025 12:26 πŸ‘ 18 πŸ” 8 πŸ’¬ 4 πŸ“Œ 0
Post image

Hej!

We are thrilled to announce Hack.lu CTF 2025 starts on Friday, October 17.

Top teams can win prizes from our sponsors: OffensiveCon, Zellic, PortSwigger, Binary Ninja, and HackTheBox.

All information on flu.xxx

08.10.2025 15:04 πŸ‘ 4 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0

Eine riesige Verbesserung der LebensqualitΓ€t. Vielen Dank fΓΌr Ihren Einsatz! An wen schreibe ich einen hΓΆflichen Brief, dass die Ladebereiche vielleicht einen abgesenkten Bordstein fΓΌr einfacheres Entladen bekommen kΓΆnnten? InfraVelo oder Bezirksamt? Oder reicht hier? ;-)

26.09.2025 09:35 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
CRLite: Fast, private, and comprehensive certificate revocation checking in Firefox – Mozilla Hacks - the Web developer blog Firefox is now the first and the only browser to deploy fast and comprehensive certificate revocation checking that does not reveal your browsing activity to anyone (not even to Mozilla). ...
19.08.2025 17:59 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Text exceeds alt capacity.

Text exceeds alt capacity.

I'm in a phenomenal talk on gender inequality in cybersecurity this morrning and this is such a great cheat sheet for intersectional fair employment.

01.08.2025 00:35 πŸ‘ 177 πŸ” 56 πŸ’¬ 3 πŸ“Œ 1

firefox container tabs are lowkey goated when $11/year VPS in dublin w/ socks5 over ssh is the vibe

25.07.2025 22:07 πŸ‘ 154 πŸ” 6 πŸ’¬ 6 πŸ“Œ 1

Wait, container tabs support individual proxy settings?

25.07.2025 23:27 πŸ‘ 5 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0