Update: The October 2018 Cumulative Security Update (KB4462919) brings the RS5 Cookie Control changes described below to Windows 10 RS2, RS3, and RS4. Note: Most of the content about “Edge” in this post describes Edge Legacy– modern Edge is based on Chromium and behaves mostly like Chrome. See more discussion of 3P cookies in 2022’s NewContinue reading “Cookie Controls, Revisited”
Tag Archives: Edge
Cookies and Concurrency, Redux
Note: This post concerns Edge Legacy (aka Spartan) and does not apply to the modern Chromium-based Edge. In yesterday’s episode, I shared the root cause of a bug that can cause document.cookie to incorrectly return an empty string if the cookie is over 1kb and the cookie grows in the middle of a DOM document.cookieContinue reading “Cookies and Concurrency, Redux”
Edge Interop Issues
As we finish up the next release of Windows 10 (Fall 2018), my team is hard at work triaging incoming bugs. Many such bugs take the form “Edge does the wrong thing for this page. ${Other_Browser} works okay.” This post is designed to be an (ever-growing) index of some of the behavioral deltas that areContinue reading “Edge Interop Issues”
Script-Generated Download Files
As we finish up the next release of Windows 10, my team is hard at work triaging incoming bugs. Here’s a pattern that has come up a few times this month: Bug: I click download in Edge Legacy: …but I end up on an error page: Womp womp. If you watch the network traffic, you’llContinue reading “Script-Generated Download Files”
Stealing your own password is not a vulnerability
By far, the most commonly-reported “vulnerability” reported to the Chrome Vulnerability Rewards program boils down to “I can steal my own password.” Despite having its very own FAQ entry, this gets reported to the VRP at varying levels of breathlessness, sometimes multiple times per day. You can see this “attack” in action: Yes, it’s true,Continue reading “Stealing your own password is not a vulnerability”
text/plain 