Microsoft heeft versie 131 van Edge uitgebracht. Deze op Chromium gebaseerde browser is beschikbaar voor Windows 10 en hoger, Linux en macOS. Ook zijn er versies voor Android en iOS. In deze uitgave heeft Microsoft onder meer veranderingen in de implementatie van Kyber aangebracht, wat bescherming moet bieden tegen zogenaamde cryptanalytic attacks. De complete changelog voor deze uitgave, die verspreid over verscheidene dagen wordt uitgerold, ziet er als volgt uit:
Feature updatesNew policies
- Cancel dialog for
beforeunload
event. Microsoft Edge changed the behavior of the cancel dialog for thebeforeunload
event. Callingevent.preventDefault
in abeforeunload
event handler won't prevent the dialog from being shown. Instead,event.returnValue = ''
needs to be called in thebeforeunload
event handler to prevent the cancel dialog. The BeforeunloadEventCancelByPreventDefaultEnabled policy is obsolete and no longer works after Microsoft Edge version 130.- Changes to Kyber. The Kyber algorithm was standardized with minor technical changes and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). ML-KEM is implemented in the BoringSSL cryptography library, which allows for it to be deployed and utilized by services that depend on this library.
The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber. Due to this incompatibility the following changes in Microsoft Edge will be made:
- Edge switches from supporting Kyber to ML-KEM.
- Edge offers a key share prediction for hybrid ML-KEM (codepoint 0x11EC).
- The
PostQuantumKeyAgreementEnabled
flag and the PostQuantumKeyAgreementEnabled policy applies to Kyber and ML-KEM. Note: The PostQuantumKeyAgreementEnabled policy is scheduled for removal in Edge version 141.- Edge will no longer support hybrid Kyber (codepoint 0x6399).
- New sidebar policy. The EdgeSidebarAppUrlHostAllowList policy allows admins to define a list of sites, based on URL patterns, that are not subject to the EdgeSidebarAppUrlHostBlockList. When the policy is configured, the apps listed in the allow list can be opened in sidebar even if they are listed in the block list. For more information, see Manage the sidebar in Microsoft Edge.
Deprecated policies
- EdgeSidebarAppUrlHostAllowList - Allow specific apps to be opened in Microsoft Edge sidebar
- PrivateNetworkAccessRestrictionsEnabled - Specifies whether to apply restrictions to requests to more private network endpoints
Obsoleted policies
- NewBaseUrlInheritanceBehaviorAllowed - Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)
- RSAKeyUsageForLocalAnchorsEnabled - Check RSA key usage for server certificates issued by local trust anchors (deprecated)
- UserAgentClientHintsGREASEUpdateEnabled - Control the User-Agent Client Hints GREASE Update feature (deprecated)
Site compatibility impacting changes
- BeforeunloadEventCancelByPreventDefaultEnabled - Control the behavior for the cancel dialog produced by the beforeunload event (obsolete)
- SignInCtaOnNtpEnabled - Enable sign in click to action dialog (obsolete)
Note: Portions of this release note are modifications based on work created and shared by Chromium.org and used according to terms described in the Creative Commons Attribution 4.0 International License.
- CSS Anchor Positioning:
anchor-scope
. Theanchor-scope
property allows limiting the visibility of anchor names to a given subtree.- CSS
font-variant-emoji
. Thefont-variant-emoji
CSS property provides a way to control between colored (emoji-style) and monochromatic (text-style) emoji glyphs. This method can be also done by adding an emoji Variation Selector, specifically U+FE0E for text and U+FE0F for emoji, after each emoji codepoint.- CSS highlight inheritance. With CSS highlight inheritance, the CSS highlight pseudo-classes, such as
::selection
and::highlight
, inherit their properties through the pseudo highlight chain, rather than the element chain. The result is a more intuitive model for inheritance of properties in highlights.- Improvements to styling structure of
<details>
and<summary>
elements. Support more CSS styling for the structure of<details>
and<summary>
elements to allow these elements to be used in more cases where disclosure widgets or accordion widgets are built on the web. In particular, this change removes restrictions that prevented setting the display property on these elements, and adds a::details-content
pseudo-element to style the container for the part that expands and collapses.@page
margin boxes. Add support for page margin boxes, when printing a web document, or exporting it as PDF.
The@page
margin boxes let you define the contents in the margin area of a page, for example to provide custom headers and footers, rather than using the built-in headers and footers generated by the browser.
A margin box is defined using an at-rule inside a CSS@page
rule. The appearance and the contents of a margin box are specified with CSS properties inside the@page
rule, including thecontent
property. Counters are also supported, for page numbering. The specification defines two special counter names:page
for the current page number andpages
for the total number of pages.- @property support
<string>
syntax. Support for<string>
syntax component name for registered custom properties.- Support
currentcolor
in relative color syntax. Allow relative colors in CSS (using thefrom
keyword) to usecurrentcolor
as a base. This support lets you set complementary colors, based on an element's text color, for that element's borders, shadows, or backgrounds.
This feature also includes use cases where color functions are nested with a dependency oncurrentcolor
, for example:color-mix (in srgb, rgb(from currentcolor r g b), white)) or rgb(from rgb(from currentcolor 1 g b) b g r)
.- Support external SVG resources for
clip-path
,fill
,stroke
, andmarker-*
properties. This feature adds support for external references for clip paths, markers, and paint servers (for thefill
andstroke
properties). For example,clip-path: url("resources.svg#myPath")
.- Direct Sockets API. Allows Isolated Web Apps to establish direct transmission control protocol (TCP) and user datagram protocol (UDP) communications with network devices and systems as well as listen to and accept incoming connections.
- Exempt
Speculation-Rules
header from CSP restrictions. Updates the integration between speculation rules and CSP so that CSP only applies to<script type=speculationrules>
, and not to theSpeculation-Rules
header. CSP's script policies are meant to protect against injection of scripts into HTML, and the CSP threat model doesn't relate to HTTP headers. This approach allows easier deployment of speculation rules from CDNs and other edge servers.- FedCM as a trust signal for the Storage Access API. Reconciles the FedCM and Storage Access APIs by making a prior FedCM grant a valid reason to automatically approve a storage access request.
When a user grants permission to use their identity with a third-party identity provider (IdP) on a relying party (RP), many IdPs require third-party cookies to function correctly and securely. This proposal aims to satisfy that requirement in a private and secure manner by updating the Storage Access API (SAA) permission checks to not only accept the permission grant given by a storage access prompt, but also the permission grant given by a FedCM prompt.
A key property of this mechanism is limiting the grant to cases explicitly allowed by the RP with the FedCM permissions policy, enforcing a per-frame control for the RP and preventing passive surveillance by the IdP beyond the capabilities that FedCM already grants.- COOP value
noopener-allow-popups
. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application.
In such cases, it can be beneficial for a document to ensure its opener can't script it, even if the opener document is a same-origin one. Thenoopener-allow-popups
Cross-Origin-Opener-Policy value lets documents define that behavior.- Select parser relaxation. This change makes the HTML parser allow more tags in
<select>
besides<option>
,<optgroup>
, and<hr>
.
This change is in support of the customizable<select>
feature but is being shipped first because it can be done separately and has some compat risk.- WebGPU: Clip distances. Adds the optional GPU feature
clip-distances
that allows setting user-defined clip distances in vertex shader outputs. This technique is useful for the applications that need to clip all vertices in a scene that are beyond a user-defined plane, such as many CAD applications.- WebGPU:
GPUCanvasContext getConfiguration()
. OnceGPUCanvasContext configure()
is called with a configuration dictionary, theGPUCanvasContext getConfiguration()
method can be used to check the canvas context configuration. It includes GPUdevice
,format
,usage
,viewFormats
,colorSpace
,toneMapping
, andalphaMode
members. As discussed in issue 4828, web apps can use it to detect whether HDR canvas is supported in WebGPU.- WebHID on dedicated workers. Enables WebHID inside dedicated worker contexts. This lets the performance of heavy I/O and processing of data from a HID device on a separate thread, helping to reduce the performance impact on the main thread.
- WebRTC
RTCRtpEncodingParameters.scaleResolutionDownTo
. An API that configures WebRTC encoders to scale input frames if they're greater than the specifiedmaxWidth
andmaxHeight
. This API is similar toscaleResolutionDownBy
except that resolution constraints are expressed in absolute terms (for example, 640x360) as opposed to relative terms (for example, scale down by 2), avoiding race conditions related to changing input frame size on the fly.- Remove the CSS Anchor Positioning property
inset-area
. With the CSS Working Group resolution on renaming theinset-area
property toposition-area
, this removal cleans up the implementation for a standards compliant feature.- Remove non-standard GPUAdapter
requestAdapterInfo()
method. The WebGPU Working Group decided it was impractical forrequestAdapterInfo()
to trigger a permission prompt so they removed that option and replaced it with the GPUAdapterinfo
attribute so that web developers can get the sameGPUAdapterInfo
value synchronously.