HomeWinBuzzer NewsMicrosoft Edge Now Supports Content Security Policy Level 2

Microsoft Edge Now Supports Content Security Policy Level 2

Content Security Policy (CSP) from the World Wide Web Consortium (W3C) is a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS).

-

support for Content Security Policy Level 2 (CSP2) has been added already in the latest Insider build and will come to all users with the Creators Update.

Since EdgeHTML 15.15002 the feature is turned on by default. It handles whitelists from web developers which limit the execution and rendering of content to only enlisted and trusted sources.

As points out, Content Security Policy Level 2 “will help prevent cross-site scripting attacks that remain a common vulnerability on the web”. Any embedded scripts that don´t meet the necessary requirements will not even be downloaded by Microsoft Edge.

To achieve this, Edge checks the Content Security Policy HTTP header for a NonceToken. A nonce is an arbitrary number that can only be used once. This ensures that old communications cannot be reused in replay attacks.

Content Security Policy support of other browsers

Content Security Policy Level 2 is the successor of Content Security Policy 1 and brings some improvements for path components. It also offers five new directives and allows whitelisting of individual inline scripts and stylesheets via nonces.

Content Security Policy Level 3 is already in working draft level and promises further improvements and a much easier integration.

The following charts by caniuse offer a great overview for the major browsers based on their respective version numbers. As you can see, supports both Content Security Policy Level 1 and Level 2 already since version 49. Microsoft Edge has previously supported Content Security Policy Level 1, but integrated it quite late.

According to Microsoft, implementation of the first version of Content Security Policy was difficult to achieve for “websites with inline script elements that either pointed to script sources or that contained script directly.”

Content Security Policy Support Firefox Chrome Edge Opera screenshot caniuse

SourceMicrosoft
Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.

Recent News