Microsoft is currently working on Windows 10 Redstone 5 update and it comes with a slew of improvements for native apps like Edge browser. With Windows 10 Redstone 5, the company is adding new features, Fluent Design and security-focused improvements to Edge browser.
In 2008 Microsoft introduced a cross-site Scripting protection technology called XSS Filter for Internet Explorer and it was later adopted by Chrome and other browsers. XSS protection is widely used by the website owners and it’s a great technology to protect the customers.
A report last week revealed that the latest builds of Microsoft Edge browser dropped the feature. Yesterday in a blog post, Microsoft confirmed that the company is retiring the XSS filter in Edge browser with Windows 10 Redstone 5 but the customers will remain protected due to the implementation of modern standards like Content Security Policy.
“We are retiring the XSS filter in Microsoft Edge beginning in today’s build. Our customers remain protected thanks to modern standards like Content Security Policy, which provide more powerful, performant, and secure mechanisms to protect against content injection attacks, with high compatibility across modern browsers,” Microsoft said.
A bit disappointing that they mention CSP as a reason for the deprecation given the incredibly low adoption rate…
— Scott Helme (@Scott_Helme) July 26, 2018
Content Security Policy (CSP) would easily mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks but according to Scott Helme, a security researcher, the CSP protection technology hasn’t been widely used yet.
“Anything to push CSP is great but it feels like they want to kill the auditor for some reason and this was an excuse to cover them,” Scott explains in a follow up tweet.