Microsoft won't patch Edge XSS vulnerability

Cisco Talos security researchers have found a way to bypass the content security policy defence mechanism that protects against cross site scripting attacks in multiple web browsers.

The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

"Microsoft stated this is by design, and has declined to patch this issue," Talos said.

CSP prevents cross-site scripting attacks by whitelisting servers that can be used as sources for client-side web application code.

To exploit the vulnerability, a web page can be coded to set the browser CSP to unsafe-inline which allows for inline scripts to run.

The web page will then load a new document with the window.open Javascript method, adding code to it with document.write to enable cross-site communications. 

Talos researcher Nicholas Grødum said while browsers such as Firefox work as per the explicit W3C specifications and inherit CSP restrictions from the loading document, Microsoft Edge does not. 

Talos reported the vulnerability to Microsoft in November last year. Microsoft confirmed the issue in January 2017, but said in March this year that it did not consider it a vulnerability.

Cross-site scripting (XSS) is a widespread attack vector against web applications, and can be used to run malicious scripts that glean sensitive information from browsers, unbeknownst to users.