Software-update: Microsoft Edge 131.0.2903.48

Microsoft heeft versie 131 van Edge uitgebracht. Deze op Chromium gebaseerde browser is beschikbaar voor Windows 10 en hoger, Linux en macOS. Ook zijn er versies voor Android en iOS. In deze uitgave heeft Microsoft onder meer veranderingen in de implementatie van Kyber aangebracht, wat bescherming moet bieden tegen zogenaamde cryptanalytic attacks. De complete changelog voor deze uitgave, die verspreid over verscheidene dagen wordt uitgerold, ziet er als volgt uit:

Feature updates

• Cancel dialog for beforeunload event. Microsoft Edge changed the behavior of the cancel dialog for the beforeunload event. Calling event.preventDefault in a beforeunload event handler won't prevent the dialog from being shown. Instead, event.returnValue = '' needs to be called in the beforeunload event handler to prevent the cancel dialog. The BeforeunloadEventCancelByPreventDefaultEnabled policy is obsolete and no longer works after Microsoft Edge version 130.
• Changes to Kyber. The Kyber algorithm was standardized with minor technical changes and renamed to the Module Lattice Key Encapsulation Mechanism (ML-KEM). ML-KEM is implemented in the BoringSSL cryptography library, which allows for it to be deployed and utilized by services that depend on this library.
  The changes to the final version of ML-KEM make it incompatible with the previously deployed version of Kyber. Due to this incompatibility the following changes in Microsoft Edge will be made:
  • Edge switches from supporting Kyber to ML-KEM.
  • Edge offers a key share prediction for hybrid ML-KEM (codepoint 0x11EC).
  • The PostQuantumKeyAgreementEnabled flag and the PostQuantumKeyAgreementEnabled policy applies to Kyber and ML-KEM. Note: The PostQuantumKeyAgreementEnabled policy is scheduled for removal in Edge version 141.
  • Edge will no longer support hybrid Kyber (codepoint 0x6399).
• New sidebar policy. The EdgeSidebarAppUrlHostAllowList policy allows admins to define a list of sites, based on URL patterns, that are not subject to the EdgeSidebarAppUrlHostBlockList. When the policy is configured, the apps listed in the allow list can be opened in sidebar even if they are listed in the block list. For more information, see Manage the sidebar in Microsoft Edge.

New policies

• EdgeSidebarAppUrlHostAllowList - Allow specific apps to be opened in Microsoft Edge sidebar
• PrivateNetworkAccessRestrictionsEnabled - Specifies whether to apply restrictions to requests to more private network endpoints

Deprecated policies

• NewBaseUrlInheritanceBehaviorAllowed - Allows enabling the feature NewBaseUrlInheritanceBehavior (deprecated)
• RSAKeyUsageForLocalAnchorsEnabled - Check RSA key usage for server certificates issued by local trust anchors (deprecated)
• UserAgentClientHintsGREASEUpdateEnabled - Control the User-Agent Client Hints GREASE Update feature (deprecated)

Obsoleted policies

• BeforeunloadEventCancelByPreventDefaultEnabled - Control the behavior for the cancel dialog produced by the beforeunload event (obsolete)
• SignInCtaOnNtpEnabled - Enable sign in click to action dialog (obsolete)

Site compatibility impacting changes

Note: Portions of this release note are modifications based on work created and shared by Chromium.org and used according to terms described in the Creative Commons Attribution 4.0 International License.

• CSS Anchor Positioning: anchor-scope. The anchor-scope property allows limiting the visibility of anchor names to a given subtree.
• CSS font-variant-emoji. The font-variant-emoji CSS property provides a way to control between colored (emoji-style) and monochromatic (text-style) emoji glyphs. This method can be also done by adding an emoji Variation Selector, specifically U+FE0E for text and U+FE0F for emoji, after each emoji codepoint.
• CSS highlight inheritance. With CSS highlight inheritance, the CSS highlight pseudo-classes, such as ::selection and ::highlight, inherit their properties through the pseudo highlight chain, rather than the element chain. The result is a more intuitive model for inheritance of properties in highlights.
• Improvements to styling structure of <details> and <summary> elements. Support more CSS styling for the structure of <details> and <summary> elements to allow these elements to be used in more cases where disclosure widgets or accordion widgets are built on the web. In particular, this change removes restrictions that prevented setting the display property on these elements, and adds a ::details-content pseudo-element to style the container for the part that expands and collapses.
• @page margin boxes. Add support for page margin boxes, when printing a web document, or exporting it as PDF.
  The @page margin boxes let you define the contents in the margin area of a page, for example to provide custom headers and footers, rather than using the built-in headers and footers generated by the browser.
  A margin box is defined using an at-rule inside a CSS @page rule. The appearance and the contents of a margin box are specified with CSS properties inside the @page rule, including the content property. Counters are also supported, for page numbering. The specification defines two special counter names: page for the current page number and pages for the total number of pages.
• @property support <string> syntax. Support for <string> syntax component name for registered custom properties.
• Support currentcolor in relative color syntax. Allow relative colors in CSS (using the from keyword) to use currentcolor as a base. This support lets you set complementary colors, based on an element's text color, for that element's borders, shadows, or backgrounds.
  This feature also includes use cases where color functions are nested with a dependency on currentcolor, for example: color-mix (in srgb, rgb(from currentcolor r g b), white)) or rgb(from rgb(from currentcolor 1 g b) b g r).
• Support external SVG resources for clip-path, fill, stroke, and marker-* properties. This feature adds support for external references for clip paths, markers, and paint servers (for the fill and stroke properties). For example, clip-path: url("resources.svg#myPath").
• Direct Sockets API. Allows Isolated Web Apps to establish direct transmission control protocol (TCP) and user datagram protocol (UDP) communications with network devices and systems as well as listen to and accept incoming connections.
• Exempt Speculation-Rules header from CSP restrictions. Updates the integration between speculation rules and CSP so that CSP only applies to <script type=speculationrules>, and not to the Speculation-Rules header. CSP's script policies are meant to protect against injection of scripts into HTML, and the CSP threat model doesn't relate to HTTP headers. This approach allows easier deployment of speculation rules from CDNs and other edge servers.
• FedCM as a trust signal for the Storage Access API. Reconciles the FedCM and Storage Access APIs by making a prior FedCM grant a valid reason to automatically approve a storage access request.
  When a user grants permission to use their identity with a third-party identity provider (IdP) on a relying party (RP), many IdPs require third-party cookies to function correctly and securely. This proposal aims to satisfy that requirement in a private and secure manner by updating the Storage Access API (SAA) permission checks to not only accept the permission grant given by a storage access prompt, but also the permission grant given by a FedCM prompt.
  A key property of this mechanism is limiting the grant to cases explicitly allowed by the RP with the FedCM permissions policy, enforcing a per-frame control for the RP and preventing passive surveillance by the IdP beyond the capabilities that FedCM already grants.
• COOP value noopener-allow-popups. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application.
  In such cases, it can be beneficial for a document to ensure its opener can't script it, even if the opener document is a same-origin one. The noopener-allow-popups Cross-Origin-Opener-Policy value lets documents define that behavior.
• Select parser relaxation. This change makes the HTML parser allow more tags in <select> besides <option>, <optgroup>, and <hr>.
  This change is in support of the customizable <select> feature but is being shipped first because it can be done separately and has some compat risk.
• WebGPU: Clip distances. Adds the optional GPU feature clip-distances that allows setting user-defined clip distances in vertex shader outputs. This technique is useful for the applications that need to clip all vertices in a scene that are beyond a user-defined plane, such as many CAD applications.
• WebGPU: GPUCanvasContext getConfiguration(). Once GPUCanvasContext configure() is called with a configuration dictionary, the GPUCanvasContext getConfiguration() method can be used to check the canvas context configuration. It includes GPU device, format, usage, viewFormats, colorSpace, toneMapping, and alphaMode members. As discussed in issue 4828, web apps can use it to detect whether HDR canvas is supported in WebGPU.
• WebHID on dedicated workers. Enables WebHID inside dedicated worker contexts. This lets the performance of heavy I/O and processing of data from a HID device on a separate thread, helping to reduce the performance impact on the main thread.
• WebRTC RTCRtpEncodingParameters.scaleResolutionDownTo. An API that configures WebRTC encoders to scale input frames if they're greater than the specified maxWidth and maxHeight. This API is similar to scaleResolutionDownBy except that resolution constraints are expressed in absolute terms (for example, 640x360) as opposed to relative terms (for example, scale down by 2), avoiding race conditions related to changing input frame size on the fly.
• Remove the CSS Anchor Positioning property inset-area. With the CSS Working Group resolution on renaming the inset-area property to position-area, this removal cleans up the implementation for a standards compliant feature.
• Remove non-standard GPUAdapter requestAdapterInfo() method. The WebGPU Working Group decided it was impractical for requestAdapterInfo() to trigger a permission prompt so they removed that option and replaced it with the GPUAdapter info attribute so that web developers can get the same GPUAdapterInfo value synchronously.