Best of Web Security — February 2026

1. 1
   Article

   Chrome Developers·14w

   Chrome for Developers

   Chrome 145 introduces column wrapping for multi-column layouts with `column-wrap` and `column-height` properties, allowing columns to wrap vertically instead of creating horizontal overflow. The release includes a new Origin API that provides an `Origin` object for safer origin comparisons and parsing. Device Bound Session Credentials (DBSC) enhances security by binding user sessions to specific devices using hardware-backed key pairs and short-lived cookies, making stolen session cookies harder to exploit.

   69

   1
2. 2
   Article

   Mozilla Hacks·13w

   Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148

   Firefox 148 is the first browser to ship the standardized Sanitizer API, which provides built-in XSS protection by sanitizing untrusted HTML before DOM insertion. The new `setHTML()` method replaces the error-prone `innerHTML` assignment, stripping dangerous elements and attributes by default. Developers can customize the sanitization configuration for stricter or more permissive rules, and can combine `setHTML()` with Trusted Types for centralized control over HTML injection. This approach requires minimal code changes and no dedicated security team, making XSS prevention accessible to a broader range of developers.

   62

   4
3. 3
   Article

   Hacker News·13w

   What is OAuth?

   Written by one of OAuth's original creators, this post explains the core purpose and historical motivation behind OAuth in plain terms. Starting from a 2006 Twitter use case, it frames OAuth as a standardized way to send a multi-use secret to a delegate with consent, and for that delegate to make requests on behalf of the user. OpenID Connect (OIDC) is described as functionally equivalent to magic-link authentication. The post argues that OAuth's complexity obscures its simple goals, and that understanding the 'why' before the 'how' is key to working with it effectively.

   18