Site compatibility-impacting changes coming to Microsoft Edge
This article lists the schedule of changes for Microsoft Edge and the Chromium project. It also highlights any differences and high-impact changes which the Microsoft Edge team is tracking especially closely.
The web platform is a collection of technologies used for building webpages, including HTML, CSS, JavaScript, and many other open standards. The web platform constantly evolves to improve the user experience, security, and privacy. In some cases, these changes may affect the functionality of existing webpages.
For functionality and compatibility reasons, Microsoft Edge adopts nearly all of the Chromium project's changes to the web platform. However, Microsoft retains full control of the Microsoft Edge browser and may defer or reject changes. The Microsoft Edge team decides if the change benefits browser users.
For information about upcoming Chromium project web platform changes, see Chrome Platform Status Release timeline.
Check this article often as the Microsoft Edge team updates this article as thinking evolves, timelines solidify, and new changes are announced.
Differences from the Chromium schedule, and high-impact changes
This table lists:
- Changes where the rollout schedule for Microsoft Edge differs from the upstream Chromium project.
- High-impact changes which the Microsoft Edge team is tracking closely.
| Change | Stable Channel | Experimentation | Additional information |
|---|---|---|---|
Disallow synchronous XmlHttpRequest in page dismissal |
v83 (Chrome+1) | This change is happening in the Chromium project, on which Microsoft Edge is based. Matching Chrome, Microsoft Edge offers a Group Policy to turn off this change until v88. For more information, including the planned timeline by Google for this change, see the Chrome Platform Status entry. | |
| Display subtle prompt for notification permissions requests | v84 | Quiet notification requests display a subtle request icon in the address bar for site notification permissions requested using the Notifications or Push API, replacing the full or standard permission flyout prompt UI. This feature is currently enabled for all users. To opt out of quiet notification requests, see edge://settings/content/notifications. In the future, the Microsoft Edge team may explore re-enabling the full flyout notification prompt in some scenarios. |
|
| Turn off TLS/1.0 and TLS/1.1 | v84 | Versions 1.0 and 1.1 of the TLS protocol used by HTTPS sites are now obsolete and unavailable in modern browsers. | |
Cookies default to SameSite=Lax and SameSite=None-requires-Secure |
v86 (Chrome+1) | Canary v82, Dev v82 | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, including the planned timeline by Google for this change, see the Chrome Platform Status entry. |
Referrer Policy: Default to strict-origin-when-cross-origin |
v86 (Chrome+1) | Canary v79, Dev v79 | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, including the planned timeline by Google for this change, see the Chrome Platform Status entry. |
| Deprecate AppCache | v86 (Chrome+1) | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the WebDev documentation. The Microsoft rollout schedule for deprecation is planned for one release after Chrome. Requesting an AppCache OriginTrial Token allows sites to continue to use the deprecated API until v90. | |
| HTTP authentication disallowed when third-party cookies are blocked | v87 | Starting with v87, when cookies are blocked for third-party requests, using either the BlockThirdPartyCookies policy or the toggle in edge://settings, HTTP authentication is also disallowed. This change may impact Enterprise Mode Site List downloads for Internet Explorer mode if the endpoint hosting the list requires the use of HTTP authentication. To allow the use of both cookies and HTTP authentication for Enterprise Mode Site List downloads, add a matching URL pattern to the CookiesAllowedForURLs policy. |
|
| Removal of Adobe Flash | v88 | This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Adobe Flash Chromium Roadmap. | |
| Remove FTP support | v88 | Beta v87 | In v88, FTP support is removed entirely. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status Entry. Enterprises that have sites that still require FTP support can continue to use FTP by configuring the site to use IE mode. |
| Autoupgrade mixed content images | v88 | Non-secure (HTTP) references to images are automatically upgraded to HTTPS. If the image isn't available over HTTPS, the image download fails. A Group Policy is available to control this feature. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. | |
| Removal of 3DES in TLS | v93 | Starting with v93, support for the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite will be removed. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. Additionally, in v93, a compatibility policy will be available to support scenarios that need to preserve compatibility with outdated servers. This compatibility policy will become obsolete and stop working in v95. Make sure that you update affected servers before then. | |
| Deprecate WebRTC's Plan B SDP semantics | v98 (Chrome+2) | This change is happening in the Chromium project, on which Microsoft Edge is based. This change deprecates a legacy Session Description Protocol (SDP) dialect called Plan B. This SDP format is being replaced by the Unified Plan, which is a spec-compliant and cross-browser compatible SDP format. For more information, see the Chrome Platform Status entry, PSA: Plan B should throw in M96 Beta and Stable, and PSA: Plan B throwing in Stable and Extended Deprecation Trial End Date. The Microsoft rollout schedule for deprecation is planned for two releases after Chrome. Requesting a WebRTC Plan B Reverse Origin Trial Token allows sites to continue to use the deprecated API until v101. | |
| Restrict private network requests to secure contexts | v94 | Starting with v94, access to resources on local (intranet) networks from pages on the internet requires that those pages be delivered over HTTPS. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. Two compatibility policies are available to support scenarios that need to preserve compatibility with non-secure pages: InsecurePrivateNetworkRequestAllowed and InsecurePrivateNetworkRequestAllowedForUrls. | |
| Block mixed content downloads | v94 | Downloading of files from HTTP URLs will be blocked on HTTPS pages. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Google security blog entry. | |
| Block WebSQL in third-party contexts | v97 | Use of the legacy WebSQL feature will be blocked from third-party frames. An Enterprise policy WebSQLInThirdPartyContextEnabled will be available as an opt-out until v101. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. | |
| Three-digit version number in the User-Agent string | v100 | Starting with v100, Microsoft Edge will send a three-digit version number in the User-Agent header, such as Edg/100. This may confuse scripts or server-side analytics that use a buggy parser to determine the User-Agent string version number. Starting with v97, site owners can emulate this condition before v100 by enabling the experiment flag #force-major-version-to-100 in edge://flags. |
|
| Block external protocols in sandboxed frames by default | v103 | Blocks the use of external protocols (that interact with non-browser applications) from sandboxed iframes unless permission is explicitly granted by the sandbox attribute on the frame. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry. |
|
| Send CORS preflight requests for private network access | v104 | Starting with v104, Microsoft Edge sends a CORS preflight request before a page from the internet is allowed to request resources from a local network (intranet). The intranet server should respond to the preflight by providing explicit permission to access the resource. The result of this check is not yet enforced. Enforcement will begin in v111 at the earliest. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see the Chrome Platform Status entry and Chrome Developers blog post. Two compatibility policies are available to suppress the CORS preflight request: InsecurePrivateNetworkRequestAllowed and InsecurePrivateNetworkRequestAllowedForUrls. | |
| New TLS server certificate verifier | v109 (unmanaged devices), v111 (managed devices) | No site compatibility impacts are anticipated. If you have uncommon TLS server certificate deployments, you should test in v109 to confirm there's no impact. For more information and testing guidance, see Changes to Microsoft Edge browser TLS server certificate verification. | |
Ignore modifications to document.domain by default |
v115 | The document.domain property historically could be set to relax the same-origin policy and allow subdomains from a site to interact. This behavior will be disabled by default such that setting the document.domain property will have no effect. For more information and workarounds, see Microsoft Edge will disable modifying document.domain. |
|
| Removal of cross-origin subframe JavaScript dialogs | Future release (TBD) | Removes window.alert, window.prompt, and window.confirm from cross-origin iframes. This change is happening in the Chromium project, on which Microsoft Edge is based. For more information, see Intent to Remove: Cross origin subframe JS Dialogs. |
Notation for browser versions
This article uses the following notation for browser release numbers.
| Notation | Description |
|---|---|
| v123 | The feature or change ships in Microsoft Edge version 123. |
| v123 (Chrome+1) | The feature or change ships in Microsoft Edge version 123, which is one release after the feature or change ships in Chrome version 122. |
| v123 (Chrome+2) | The feature or change ships in Microsoft Edge version 123, which is two releases after the feature or change ships in Chrome version 121. |
| Beta v123 | The feature or change ships in version 123 of the Beta preview channel of Microsoft Edge. |
| Dev v123 | The feature or change ships in version 123 of the Dev preview channel of Microsoft Edge. |
| Canary v123 | The feature or change ships in version 123 of the Canary preview channel of Microsoft Edge. |
Feedback
Submit and view feedback for