I am Mathias Bynens. Ask me anything.

Mathias is a web standards fanatic from Belgium. He is currently working on the V8 JavaScript engine at Google. A great opportunity to ask him anything programming.

Ask Mathias Bynens about:

  • JavaScript
  • HTML
  • CSS
  • HTTP
  • performance
  • security
  • Bash
  • Unicode
  • macOS
  • OSS
  • …more

Comments (41)

Add a comment
Siddarthan Sarumathi Pandian's photo

The V8 engine is one of the most beautiful pieces of software out there, thanks for making our life easier through it.

I have two questions:

  1. How to get started with compiler design, I've never had the chance to venture into that side of programming.

  2. Do you think JavsScript can be perceived as a compiled language and not an interpreted language? JIT (just-in-time compiler) makes code optimizations (also create compiled versions); interpreted languages can't usually do that.

Mathias Bynens's photo

I work on V8 at Google and on ECMAScript through TC39. ♥ JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.

  1. Stanford Engineering’s CS1 course on compilers is available online. I haven’t looked at it myself but have heard good things about it.

  2. V8 has an interpreter (Ignition) and an optimizing compiler (TurboFan). Most modern JavaScript engines have a similar setup (maybe with a few extra compilers thrown in there). V8 can create optimized code based on certain assumptions, but when the assumptions become invalid we have to deoptimize.

Sandra Voznikova's photo

What are the basic security measures you would take if you were starting a new project in 2018?

Mathias Bynens's photo

I work on V8 at Google and on ECMAScript through TC39. ♥ JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.

The cool thing about web app security basics is that they don’t really change over time.

For web app security specifically, I’ll say the following.

Sanitize content in different HTML contexts to avoid XSS. Apply defense-in-depth, and use CSP as an additional layer of security. Use SRI if you load resources from a CDN. Check your server configuration, and make sure you serve each resource with the correct MIME type and headers to disable MIME sniffing where applicable. Avoid cookies, and if you must use them, consider applying the SameSite flag. Never trust any data that you do not fully control (e.g. user input, data fetched from a third party, request header values, etc.). Train yourself to have a security mindset: always assume the worst.

IMHO the best (and most fun!) way to learn about all this, is to try and exploit these bugs yourself. There are perfectly legal ways of doing so.

Try to exploit XSS vulnerabilities: https://xss-game.appspot.com/ Hungry for more? Google Gruyere takes it even further: https://google-gruyere.appspot.com/

I used to play a lot of Security CTFs with my friends from KUL (team Hacknam Style 4 lyfe!). These are online competitions where you get access to similar hacking challenges. Every level contains some kind of vulnerability, and exploiting it gives you access to a secret “flag” you can then submit to score points.

With every single CTF I played, I learned something new. I ended up starting a project to collect my (and later, other people’s) write-ups along with the original challenges. Here are some example write-ups for web challenges:

Peter Burns's photo

What do you see as the biggest challenge in the JavaScript language that isn't addressed by any current proposal?

Mathias Bynens's photo

I work on V8 at Google and on ECMAScript through TC39. ♥ JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.

The biggest challenge of evolving the JavaScript language is the backwards compatibility requirement. It’s also its greatest strength.

JavaScript is so widely deployed on the Web, it’s hard to make any kind of backwards-incompatible change to the language. Even purely additive changes, such as the introduction of a new String or Array method, can sometimes end up causing breakage on websites (often in weird an unexpected ways). As a browser engineer, Breaking the Web is the worst thing that can happen.

On the other hand, this means we can all write JavaScript programs today that will likely still behave the same way 20 years from now. That’s amazing!

Akash Verma's photo

Hi Mathias, What measures do you take to improve the performance of your app?

Mathias Bynens's photo

I work on V8 at Google and on ECMAScript through TC39. ♥ JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.

That’s a very broad question! There’s lots of different aspects to “performance”. In my day-to-day work, I mostly focus on load-time performance. The best advice I can give there is to ship less code :)

Invest time in setting up a robust build pipeline. Consider using a tool like webpack or rollup to minimize the size of your generated JS and CSS bundles. If you transpile JS, use babel-preset-env to avoid over-transpiling — this helps with both load-time and run-time performance.

Rendering performance is another important aspect.

I recommend the Web Fundamentals performance guide.

Susan Dinglesen's photo

Have you, as a coder, explored Blockchain technologies? Have you written any smart contracts?

If no, do you intend to invest your time learning and explore more?