- Subresource Integrity, a W3C specification for conditionally loading third-party scripts based on their cryptographic digest.
- X-Frame-Options: All about Clickjacking? Whitepaper together with Mario Heiderich, Fall 2013
- Origin Policy Enforcement in Modern Browsers, Diploma thesis, Summer/Fall 2012. Errata (TXT), Test Cases/Appendix avialable on request.
I look for security bugs in open source software. Some are found in my free-time, some on company time while working for Mozilla. Here are some examples:
- CVE-2015-4518 CSP bypass in Firefox Reader mode
- CVE-2014-1485 XSLT-based CSP bypass in Firefox (and related products)
- CVE-2013-4519 Multiple HTML Injection Vulnerabilities in ReviewBoard
- CVE-2013-4409 Possible Remote Code Execution Vulnerability in ReviewBoard
- Multiple security issues in Etherpad-lite, caused release 1.2.9 on March 17. 2013 (no CVE assigned)
- CVE-2013-0774 disclosure of profile directory name in Firefox (and related products)
- CVE-2012-5650: DOM based Cross-Site Scripting in CouchDB