The "SameSite" cookie prevents CSRF attacks by telling the browser not to send the cookie in requests that originate from sites other than the one that created it.
Read the spec draft here:
Chrome already supports it as declared here:450 votes
Completed and backported to Edge 16 as well!
CSP Level 2 bring with it the ability the whitelist inline script tags using the `script-src: nonce-<nonce>` directive.
This allows applications that rely on a small set of inline scripts to still reap the xss-fighting benefits of disallowing all other inline scripts and inline event handlers.628 votes
CSP2 is included in Edge 15, which shipped today (11th April) with Windows 10 Creators Update.
Edge should prevent a page from repeatedly popping up modal dialogs that block action on the current or other tabs. In IE 11, it is possible for a page to pop up a modal OS dialog window, and upon attempting to close that window, simply re-open it. I experienced this today with a rogue fake virus warning page, and had to kill the entire IE process to get rid of the dialog. Simply unacceptable from a security standpoint.114 votes
Upgrade Insecure Requests is a mechanism that web pages instruct user agents to upgrade priori insecure resource requests to secure transports before fetching them.
This feature can make deploying HTTPS easier for websites.534 votes
Upgrade Insecure Requests is included in EdgeHTML 17 released yesterday (30/04/2018)
- Don't see your idea?