| title | description | author | ms.author | ms.topic | ms.service | ms.date |
|---|---|---|---|---|---|---|
Site compatibility-impacting changes coming to Microsoft Edge |
Summary of high-impact changes that are planned for Microsoft Edge that may impact website compatibility. |
MSEdgeTeam |
msedgedevrel |
conceptual |
microsoft-edge |
06/21/2024 |
This article lists the schedule of changes for Microsoft Edge and the Chromium project. It also highlights any differences and high-impact changes which the Microsoft Edge team is tracking especially closely.
The web platform is a collection of technologies used for building webpages, including HTML, CSS, JavaScript, and many other open standards. The web platform constantly evolves to improve the user experience, security, and privacy. In some cases, these changes may affect the functionality of existing webpages.
For functionality and compatibility reasons, Microsoft Edge adopts nearly all of the Chromium project's changes to the web platform. However, Microsoft retains full control of the Microsoft Edge browser and may defer or reject changes. The Microsoft Edge team decides if the change benefits browser users.
For information about upcoming Chromium project web platform changes, see Chrome Platform Status Release timeline.
Check this article often as the Microsoft Edge team updates this article as thinking evolves, timelines solidify, and new changes are announced.
This table lists:
- Changes where the rollout schedule for Microsoft Edge differs from the upstream Chromium project.
- High-impact changes which the Microsoft Edge team is tracking closely.
| Change | Stable channel | Experimentation | Additional information |
|---|---|---|---|
| Insecure downloads over HTTP | Future release (TBD) | When a user tries to download potentially dangerous content from an HTTP site, the user will receive a UI warning, such as "Insecure download blocked." The user will still have an option to proceed and download the item. Admins can use the InsecureContentAllowedForUrls policy to specify HTTP sites for which the warning will be suppressed. Admins can use the InsecureDownloadWarnings feature flag to test the impact of this upcoming feature. |
|
| Deprecate unload event | Future release (TBD) | Introduces a new Permission-Policy to allow creating unload event listeners. The default policy is allow, but the default policy will gradually be migrated to deny, such that unload handlers stop firing on pages, unless a page explicitly opts in to re-enable them. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see Intent to Deprecate: Deprecate unload event. |
|
| Removal of cross-origin subframe JavaScript dialogs | Future release (TBD) | Removes window.alert, window.prompt, and window.confirm from cross-origin iframes. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see Intent to Remove: Cross origin subframe JS Dialogs. |
|
Deprecate textprediction attribute |
v131 | Removes support for the textprediction HTML attribute, which is a nonstandard attribute that's used to enable or disable the browser-based Text Prediction feature for long-form text inputs. Instead, use the standardized writingsuggestions attribute, which functions similarly to textprediction, but also applies to other writing-assistance features that browsers may provide. Sites that explicitly set textprediction to true or false can instead set writingsuggestions to the same value. For more information, see Writing suggestions in the HTML specification. |
|
| Removal of Token Binding support | v127, v130 | Token Binding uses cryptographic certificates on both ends of the TLS connection in an attempt to close the security gap of bearer tokens, which may be lost or stolen. The enterprise policy AllowTokenBindingsForUrls will no longer be supported, as of v127. Support for the Token Binding protocol will be removed in v130. | |
| Removal of mutation events | v127 | Removes support for mutation events in Chromium. Use the MutationObserver API instead. See Intent to Deprecate: Mutation Events. | |
| Removal of Web SQL | v124 | Fully removes Web SQL support. In prior releases, Web SQL support was disabled by default but could be re-enabled via the WebSQLAccess policy. After this change, there is no longer any mechanism to enable Web SQL support. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see Intent to Deprecate and Remove Web SQL. | |
| Added support for AVIF and AV1 file formats | v121 | Microsoft Edge now supports the AVIF and AV1 file formats, which offer better compression and higher quality images and videos. Users can enjoy faster loading times and better quality media on websites. | |
Ignore modifications to document.domain by default |
v119 | The document.domain property historically could be set to relax the same-origin policy and allow subdomains from a site to interact. This behavior will be disabled by default such that setting the document.domain property will have no effect. For more information and workarounds, see Microsoft Edge will disable modifying document.domain. |
| Change | Stable channel | Experimentation | Additional information |
|---|---|---|---|
| New TLS server certificate verifier | v111 (managed devices), v109 (unmanaged devices) | No site compatibility impacts are anticipated. If you have uncommon TLS server certificate deployments, you should test in v109 to confirm there's no impact. For more information and testing guidance, see Changes to Microsoft Edge browser TLS server certificate verification. | |
| Send CORS preflight requests for private network access | v104 | Starting with v104, Microsoft Edge sends a CORS preflight request before a page from the internet is allowed to request resources from a local network (intranet). The intranet server should respond to the preflight by providing explicit permission to access the resource. The result of this check is not yet enforced. Enforcement will begin in v111 at the earliest. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry and Chrome Developers blog post. Two compatibility policies are available to suppress the CORS preflight request: InsecurePrivateNetworkRequestAllowed and InsecurePrivateNetworkRequestAllowedForUrls. | |
| Block external protocols in sandboxed frames by default | v103 | Blocks the use of external protocols (that interact with non-browser applications) from sandboxed iframes unless permission is explicitly granted by the sandbox attribute on the frame. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. |
|
| Three-digit version number in the User-Agent string | v100 | Starting with v100, Microsoft Edge will send a three-digit version number in the User-Agent header, such as Edg/100. This may confuse scripts or server-side analytics that use a buggy parser to determine the User-Agent string version number. Starting with v97, site owners can emulate this condition before v100 by enabling the experiment flag #force-major-version-to-100 in edge://flags. |
|
| Deprecate WebRTC's Plan B SDP semantics | v98 (Chrome+2) | This change is happening in the Chromium project, on which Microsoft Edge is based. This change deprecates a legacy Session Description Protocol (SDP) dialect called Plan B. This SDP format is being replaced by the Unified Plan, which is a spec-compliant and cross-browser compatible SDP format. For more information, see the Chrome Platform Status entry, PSA: Plan B should throw in M96 Beta and Stable, and PSA: Plan B throwing in Stable and Extended Deprecation Trial End Date. The Microsoft rollout schedule for deprecation is planned for two releases after Chrome. Requesting a WebRTC Plan B Reverse Origin Trial Token allows sites to continue to use the deprecated API until v101. | |
| Block WebSQL in third-party contexts | v97 | Use of the legacy WebSQL feature will be blocked from third-party frames. An Enterprise policy WebSQLInThirdPartyContextEnabled will be available as an opt-out until v101. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. | |
| Block mixed content downloads | v94 | Downloading of files from HTTP URLs will be blocked on HTTPS pages. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Google security blog entry. | |
| Restrict private network requests to secure contexts | v94 | Starting with v94, access to resources on local (intranet) networks from pages on the internet requires that those pages be delivered over HTTPS. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. Two compatibility policies are available to support scenarios that need to preserve compatibility with non-secure pages: InsecurePrivateNetworkRequestAllowed and InsecurePrivateNetworkRequestAllowedForUrls. | |
| Removal of 3DES in TLS | v93 | Starting with v93, support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite will be removed. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. Additionally, in v93, a compatibility policy will be available to support scenarios that need to preserve compatibility with outdated servers. This compatibility policy will become obsolete and stop working in v95. Make sure that you update affected servers before then. | |
| Autoupgrade mixed content images | v88 | Non-secure (HTTP) references to images are automatically upgraded to HTTPS. If the image isn't available over HTTPS, the image download fails. A Group Policy is available to control this feature. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. | |
| Removal of Adobe Flash | v88 | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Adobe Flash Chromium Roadmap. | |
| Remove FTP support | v88 | Beta v87 | In v88, FTP support is removed entirely. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status Entry. Enterprises that have sites that still require FTP support can continue to use FTP by configuring the site to use IE mode. |
| HTTP authentication disallowed when third-party cookies are blocked | v87 | Starting with v87, when cookies are blocked for third-party requests, using either the BlockThirdPartyCookies policy or the toggle in edge://settings, HTTP authentication is also disallowed. This change may impact Enterprise Mode Site List downloads for Internet Explorer mode if the endpoint hosting the list requires the use of HTTP authentication. To allow the use of both cookies and HTTP authentication for Enterprise Mode Site List downloads, add a matching URL pattern to the CookiesAllowedForURLs policy. |
|
| Deprecate AppCache | v86 (Chrome+1) | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the WebDev documentation. The Microsoft rollout schedule for deprecation is planned for one release after Chrome. Requesting an AppCache OriginTrial Token allows sites to continue to use the deprecated API until v90. | |
Referrer Policy: Default to strict-origin-when-cross-origin |
v86 (Chrome+1) | Canary v79, Dev v79 | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, including the planned timeline by Google for this change, see the Chrome Platform Status entry. |
Cookies default to SameSite=Lax and SameSite=None-requires-Secure |
v86 (Chrome+1) | Canary v82, Dev v82 | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, including the planned timeline by Google for this change, see the Chrome Platform Status entry. |
| Turn off TLS/1.0 and TLS/1.1 | v84 | Versions 1.0 and 1.1 of the TLS protocol used by HTTPS sites are now obsolete and unavailable in modern browsers. | |
| Display subtle prompt for notification permissions requests | v84 | Quiet notification requests display a subtle request icon in the address bar for site notification permissions requested using the Notifications or Push API, replacing the full or standard permission flyout prompt UI. This feature is currently enabled for all users. To opt out of quiet notification requests, see edge://settings/content/notifications. In the future, the Microsoft Edge team may explore re-enabling the full flyout notification prompt in some scenarios. |
|
Disallow synchronous XmlHttpRequest in page dismissal |
v83 (Chrome+1) | This change is happening in the Chromium project, on which Microsoft Edge is based. Matching Chrome, Microsoft Edge offers a Group Policy to turn off this change until v88. For more information, including the planned timeline by Google for this change, see the Chrome Platform Status entry. |
This article uses the following notation for browser release numbers.
| Notation | Description |
|---|---|
| v123 | The feature or change ships in Microsoft Edge version 123. |
| v123 (Chrome+1) | The feature or change ships in Microsoft Edge version 123, which is one release after the feature or change ships in Chrome version 122. |
| v123 (Chrome+2) | The feature or change ships in Microsoft Edge version 123, which is two releases after the feature or change ships in Chrome version 121. |
| Beta v123 | The feature or change ships in version 123 of the Beta preview channel of Microsoft Edge. |
| Dev v123 | The feature or change ships in version 123 of the Dev preview channel of Microsoft Edge. |
| Canary v123 | The feature or change ships in version 123 of the Canary preview channel of Microsoft Edge. |