Frederik Braun


my name is Frederik Braun and I currently work as a Staff Security Engineer at Mozilla. This blog's content is heavily influenced by my work in security, but it is a personal blog and opinions do not reflect anyone else's than mine.

I currently work on the Sanitizer API, which aims to help developers remove XSS and otherwise problematic markup from a piece of HTML. Our aim is to make this easy to use, very robust and seamlessly compatible with most, if not all websites. The Sanitizer API is slated to make it into a browser near you very soon and some fine folks have already set up a Sanitizer API playground, which also includes instructions for testing.

In my numerous approaches to eradicate XSS from various codebases, I have also co-developed the ESLint plugin "no-unsanitized" (previously known as "no-innerhtml") - a summary of the approaches we've implemented for Firefox can be found in "Hardening Firefox against Injection Attacks", which was published in the SecWeb Workshop 2020.

If you are using a CDN to serve your website's JavaScript files, you might want to look into Subresource Integrity, which became a W3C Recommendation in 2016.

In the fall of 2013 I have co-authored a whitepaper about the benefits of the X-Frame-Options security header with Mario Heiderich. It mostly shows attacks and techniques against website that can be framed.

I once wrote a thesis about the Same Origin Policy and its state in the API-rich HTML5 browsers in Summer 2012, which concluded my studies of IT-Security at the Ruhr-University in Bochum. This is also where I co-founded the CTF team fluxfingers.

If you still want to know more, I suggest you read some of my blog posts. You may also contact me.