How WebDriver BiDi gives the W3C automation standard the bidirectional channel that CDP had, why Selenium and Firefox are moving onto it, and what the switch changes for bot detection.
Traces how crawl politeness works in practice: RFC 9309 robots.txt parsing, the crawl-delay split between Google, Bing, and Yandex, per-host rate limits, sitemaps, and the cryptographic verification replacing the honor system.
Traces GREASE (RFC 8701), the reserved random values browsers inject into the TLS ClientHello to keep extension points usable, and the reason fingerprinting that fails to normalize them produces a different hash on every connection.
How ECH encrypts the inner ClientHello, including SNI, with an HPKE key fetched from DNS, what the outer ClientHello still leaks, and where deployment actually stands now that RFC 9849 has shipped.
Traces how four read-only battery properties became a cross-site tracking vector, the 2015 Olejnik research that proved it, the in-the-wild scripts Princeton caught, and the Firefox and WebKit removals that followed.
A primary-source reference for HTTP caching: how Cache-Control directives, Expires, ETag and Last-Modified revalidation, Vary, and the stale-* extensions actually behave in private and shared caches under RFC 9111.
Traces the HTTP cookie from a 1994 shopping-cart hack to the web's identity layer: how SameSite reshaped it, why the third-party-cookie phase-out collapsed in 2024-2025, and what partitioning leaves behind.
A primary-source walk through CHIPS: the Partitioned cookie attribute, the double-keyed cookie jar, the cross-site ancestor chain bit, the 10 KiB per-partition budget, and where it sits now that Privacy Sandbox is gone.
A history of encrypting the TLS server name, from the 2018 ESNI experiment and why it failed to the ECH design that encrypts the whole inner ClientHello with HPKE, finished as RFC 9849 in 2026.
Traces the same-origin policy from Netscape 1995 to RFC 6454, then how CORS relaxes it through preflights and Access-Control headers, the misconfigurations that break it, and where the model stands in 2026.
A primary-source reference for the cookie security attributes: what HttpOnly, Secure, SameSite, Domain, and Path each enforce, why the __Host-/__Secure- prefixes exist, and the gaps each one leaves behind.
A reference on CSP: the directive and source-list model, nonces, hashes and strict-dynamic, report-only mode, the Google study that showed most real-world policies were bypassable, and why retrofitting a strict policy is so painful.
Traces how the integrity attribute verifies a third-party script against a cryptographic hash, what a compromised CDN it stops, the dynamic-resource gap it cannot close, and why adoption stayed in single digits.
Traces automated web extraction from the 1993 Wanderer and JumpStation through wget, Perl LWP, the API era, Scrapy, Selenium, the headless-Chrome shift, and the AI-training wave, with the legal landmarks along the way.
Traces robots.txt from Martijn Koster's 1994 mailing-list proposal through 25 years as a de-facto standard, Google's 2019 push, RFC 9309 in 2022, and the 2024-2025 AI-crawler revolt and llms.txt debate.
Traces HTTP from Berners-Lee's one-line 1991 protocol through RFC 1945, the RFC 2068/2616/7230 era of HTTP/1.1, Google's SPDY, HTTP/2 (RFC 7540/9113), and HTTP/3 over QUIC (RFC 9114).
Traces the HTTP cookie from Lou Montulli's 1994 design at Netscape through RFC 2109, 2965, and 6265, the third-party tracking era, and the SameSite phase-out endgame that never quite arrived.
Traces Selenium from Jason Huggins's 2004 JavaScriptTestRunner through Selenium RC's proxy hack, the 2009 WebDriver merger, and WebDriver becoming a W3C Recommendation in 2018.
How QUIC went from a 2012 Google experiment in Chrome and YouTube to a standardized IETF transport, traced through gQUIC, the TLS 1.3 redesign, HTTP/3, and the May 2021 publication of RFC 9000.