• Cross Origin Isolation at OWASP Berlin Meeting - 2024, Slides
  • What if XSS was a browser bug? at Hacking in Parallel Berlin - 2022, Slides
  • Finding and Fixing DOM-based XSS at enterJS Darmstadt - 2022, Slides
  • Making of: The Sanitizer API at Nullcon Berlin - 2022: Video, Slides
  • Fixing Security Bugs in Firefox at Mozilla Berlin All-Hands - 2020
  • Remote code execution in Firefox beyond memory corruptions at OWASP Global AppSec Amsterdam - 2019: Blog post, Slides
  • A CDN that can not XSS you: Using Subresource Integrity at OWASP AppSec EU, Amsterdam - 2015: Video, Blog post
  • We're stuggling to keep up - A brief history of browser security features at JSConf.EU Berlin - 2014: Video
  • Origin Policy Enforcement in Modern Browsers at OWASP AppSec Research in Hamburg and at Hack in Paris - 2013: Paper


  • Sanitizer API, an upcoming standard that defines built-in HTML/XSS sanitizer primitives for the browser.
  • eslint plugin "no unsanitized", a plugin for the popular JavaScript linter that helps finding and fixing unsanitized HTML interpolation, which could lead to XSS vulnerabilities.
  • Subresource Integrity, a W3C specification for conditionally loading third-party scripts based on their cryptographic digest.
  • Public Suffix List, the list that defines domain suffixes beyond typical IANA top-level domains. (as contributor)
  • eslint plugin "no wildcard postMessage", a plugin for the popular JavaScript linter that disallows usage of the postMessage API to unspecified end points.
  • discard tab, a Firefox extension that allows unloading a browser tab to disable background activity and reduce resource usage.
  • html2dom, a JavaScript library that rewrites HTML source code into DOM instructions (createElement, appendChild etc.)

Blog posts elsewhere