Passkeys – Syncable WebAuthN credentials

Passwords have lousy security properties, and if you try to use them securely (long, complicated, and different for every site), they often have horrible usability as well. Over the decades, the industry has slowly tried to shore up passwords’ security with multi-factor authentication (e.g. one-time codes via SMS, ToTP authenticators, etc) and usability improvements (e.g.Continue reading “Passkeys – Syncable WebAuthN credentials”

Understanding Browser Channels

Microsoft Edge (and upstream Chrome) is available in four different Channels: Stable, Beta, Dev, and Canary. The vast majority of Edge users run on the Stable Channel, but the three pre-Stable channels can be downloaded easily from microsoftedgeinsider.com. You can keep them around for testing if you like, or join the cool kids and setContinue reading “Understanding Browser Channels”

New Recipes for 3rd Party Cookies

For privacy reasons, the web platform is moving away from supporting 3rd-party cookies, first with lockdowns, and eventually with removal of support in late 2023 the second half of 2024. Background: What Does “3rd-Party” Mean? A 3rd-party cookie is one that is set or sent from a 3rd-party context on a web page. A 3rd-partyContinue reading “New Recipes for 3rd Party Cookies”

Edge URL Schemes

The microsoft-edge: Application Protocol Microsoft Edge implements an Application Protocol with the scheme microsoft-edge: that is designed to launch Microsoft Edge and pass along a web-schemed URL and/or additional arguments. A basic invocation might be as simple as: microsoft-edge:http://example.com/ However, as is often the case with things I choose to write about, there’s a bitContinue reading “Edge URL Schemes”

The “Magical” Back Button

From the mailbag: Eric, when I am on bing.com in Edge or Chrome and I type https://portal.microsoft.com in the address bar, I go through some authentication redirections and end up on the Office website. If I then click the browser’s Back button, I go back to bing.com. But if I try the same thing inContinue reading “The “Magical” Back Button”

Edge/Chrome Policy Registry Entries

One of the more common problems reported by Enterprises is that certain Edge/Chrome policies do not seem to work properly when the values are written to the registry. For instance, when using the about:policy page to examine the browser’s view of the applied policy, the customer might complain that a policy value they’ve entered inContinue reading “Edge/Chrome Policy Registry Entries”

Smarter Defaults by Paying Attention

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions of varying levels of importance: should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sentContinue reading “Smarter Defaults by Paying Attention”

Debugging Compatibility in Edge

Background By moving from our old codebase to Chromium, the Microsoft Edge team significantly modernized our codebase and improved our compatibility with websites. As we now share the vast majority of our web platform code with the market-leading browser, it’s rare to find websites that behave differently in Edge when compared to Chrome, Brave, Opera,Continue reading “Debugging Compatibility in Edge”

MoarTLS: Non-Secure Download Blocking

With little fanfare, an important security change has arrived on the web. Now, all major browsers (except Safari) block non-secure downloads from a secure page. Browser Version Behavior Edge 94+ Block with right-click “Keep” button Chrome 94 Block Silently Firefox 93 Block with “Allow download” button Brave 1.30.89 Block Silently Opera 79.0.4143.72 Block Silently SafariContinue reading “MoarTLS: Non-Secure Download Blocking”

Practical Time Machines

Many “emergency” situations in our modern world would’ve been easy to fix had they been foreseen in advance. If only we’d known what was going to happen, the badness could’ve easily been prevented. Unfortunately, when problems are discovered only “as they happen” in production, everyone must race to minimize the damage and put out theContinue reading “Practical Time Machines”