Microsoft Edge Developer

Hi, are you a web developer or designer?

“No, I just want to share feedback on Microsoft Edge.”

Please use the Feedback Hub (requires Windows 10) to submit your feedback in the Microsoft Edge category. This site is for web developer and designer feedback only. Other feedback will be closed without action.

“Yes, I’m a web developer or designer with feedback for the Microsoft Edge platform.”

Great! This site is where the Microsoft Edge team collects feature requests from the web developer and designer community in the categories listed to the right. For bugs on existing features, please log an issue on the Issue Tracker.

Your feedback will help us with planning and to better understand how web developers and designers are using the platform. Top standards-based feature requests will also be copied over to status.microsoftedge.com, where you can track its development status.

For the most actionable feedback, please search and up vote for existing suggestions before submitting a new suggestion, and create a separate suggestion per idea. Note that off topic or inappropriate suggestions may be moderated. The Microsoft Edge team will use suggestions as an important input, but there are several additional factors that inform the final roadmap.

A note from our lawyers: Please do not send any novel or patentable ideas, copyrighted materials, samples or demos which you do not want to grant a license to Microsoft. See the Terms of Service for more information.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Address bar new anti fishing function

    I create script , when the user enters the address he sees sha 256 visual representation, the probability of error is decreased.
    see http://www.forms.ge/anti-fishing-function

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Only Allow AppCache over HTTPS

    AppCache should be removed from insecure contexts. Since AppCache allows offline and persistent access to an origin, this can be an XSS attack vector that can be exploited

    23 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. Update documentation on U2F support in Chrome, Opera and Firefox

    The website wrongly states that Chrome, Opera, and Firefox do not support U2F, which is wrong. In the case of Chrome, it's been implemented for several years. In fact, Edge is the only major browser that does not support this. Please update the docs to reflect this.

    https://developer.microsoft.com/en-us/microsoft-edge/platform/status/fidou2f/

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. do not recover after crash

    Option to NEVER restore Sessions after Crash. I want a config option that tells edge to not restore sessions on start.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Block Cross-Origin <a download>

    While Microsoft Edge mitigates the impact of cross-origin downloads by changing the file extension, it is still a risk and the presence of the download attribute on anchor elements with cross-origin attributes should still be ignored

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. X-Content-Type-Options: nosniff

    X-Content-Type-Options: nosniff http header lets a web server assert its resources can only be a script or a stylesheet if it is not sent with proper Content-Type headers.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Include TLS security. Most websites require it now, so I have had to stop using Microsoft edge for web browsing.

    Include TLS security in Microsoft Edge. I have had to install Google Chrome to use the Internet as almost all sites now require TLS security to visit or view.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. Write Edge in managed code

    I know you've tried to GC the native code, but it's not enough.

    There are still UAF bugs. There are still type bugs. It's time to put an end to them once and for all. Write in managed code. We know that Microsoft can create environments that are type safe; it's time to actually use one.

    125 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add more granular cookie management.

    IE had the best cookie mangement of all browsers. Accept, block, Prompt. 1st, 3rd party. Allow all session cookies. Elegant, simple.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. referrer policy

    Referrer policy

    50 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add a new flag allow-top-navigation-with-gesture

    An already established standard (https://html.spec.whatwg.org/multipage/browsers.html#attr-iframe-sandbox-allow-top-navigation-by-user-activation), this new flag requires top-level browsing context navigation from a sandboxed iframe only through gesture. This prevents malicious auto-redirection from 3rd party content while still allowing top-level navigation

    28 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. 4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. 125 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. ad-blockers, site-blockers and Google Search

    Until Edge has support for plugins like adblock plus and Youtube Channel Blocker, its useless. The internet is a messy place. Using Edge without these, you get flooded with ads and can't actually see the content. Ads can contain phishing software and keystealers (BitDefender reports) and its not advisable to surf without these tools.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support Strict Secure Cookies

    The Secure flag on cookies prevents from being read by an insecure (non https) origin, but it can still add or delete secure cookies from an insecure site. This feature request will make the cookie strictly secure

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Detecting a serious opening in the Microsoft EDGE browser.Threatens user passwords

    Detecting a serious opening in the Microsoft EDGE browser.Threatens user passwords It basically targets Same-Origin Policy within the browser

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. 13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Allow server detection of Integrated Windows Authentication (IWA) support

    Allow detection (from server side) of web clients which are being managed by domain and for which we know the IWA authentication (SPNEGO, NTLM, Kerberos) is available.

    The goal is to send IWA authentication request only to supported web clients, but NOT for web clients in which it is not handled (non domain edge, mobile and such) as sending a status code 401 + WWW-Authenticate HTTP header for those client leads to a very bad user experience with a login popup. Users with a web client without IWA support are proposed other classic authentication methods.

    In previous IE version, such…

    72 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support the OCSP Must Staple TLS Extension

    As described in this post by Mozilla:
    https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
    or here:
    https://www.grc.com/revocation/ocsp-must-staple.htm

    OCSP Must-Staple makes use of the recently specified TLS Feature Extension. When a CA adds this extension to a certificate, it requires the browser to ensure a stapled OCSP response is present in the TLS handshake. If an OCSP response is not present, the connection will fail and the browser will display a non-overridable error page.

    44 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support ChaCha20/Poly1305 cipher suites in Edge/Schannel

    ChaCha20/Poly1305 cipher suites are considered as the best stream cipher replacement for the obsolete RC4 stream cipher suites. It's also the only AEAD alternative to AES-GCM cipher suites right now.

    It's already supported by Google Chrome, Android and Opera and just recently patch with ChaCha20/Poly1305 landed in OpenSSL library.
    https://github.com/openssl/openssl/commit/bd989745b7a4796dceff89d93b6b7ac1561c6227

    I think it would be helpful to support it in Schannel and Edge as well.

    193 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base