Mathias Bynens

About me

My name’s Mathias Bynens, and I’m a freelance web developer from Belgium. I collaborate on open-source projects such as jsPerf and HTML5 Boilerplate. If that sounds like fun to you, you should follow me on Twitter and GitHub.

Latest notes

Dear Google, please fix plain text emails in Gmail

· tagged with Email

By default, composing a new email in Gmail results in an HTML email under the hood. It’s possible to opt-out of that and use plain text email instead, but that leads to some problems.

Continue reading “Dear Google, please fix plain text emails in Gmail”…

PBKDF2+HMAC hash collisions explained

· tagged with Bash, cryptography, JavaScript, Python

It’s trivial to find colliding passwords when hashing with PBKDF2-HMAC-anything. This post explains why that is.

Continue reading “PBKDF2+HMAC hash collisions explained”…

JavaScript has a Unicode problem

· tagged with JavaScript, Unicode

The way JavaScript handles Unicode is… surprising, to say the least. This write-up explains the pain points associated with Unicode in JavaScript, provides solutions for common problems, and explains how the upcoming ECMAScript 6 will improve the situation.

Continue reading “JavaScript has a Unicode problem”…

Processing Content Security Policy violation reports

· tagged with CSP, PHP, security

Content Security Policy can be used to generate reports describing attempts to attack your site. This post briefly explains how this works, and presents a simple example script that can be used to process these reports.

Continue reading “Processing Content Security Policy violation reports”…

Hiding JSON-formatted data in the DOM with CSP enabled

· tagged with CSP, DOM, HTML, JavaScript, PHP, security

If Content Security Policy is enabled for protection against cross-site scripting attacks (i.e. the unsafe-inline option is not set), the use of inline <script>s is not allowed. In that case, how can we pass server-generated data to the front-end without negatively affecting load time and run-time performance?

Continue reading “Hiding JSON-formatted data in the DOM with CSP enabled”…

Older notes

Browse the archive.