Microsoft has refused to fix a security flaw that has been discovered by Cisco Talos researcher (Nicolai Grødum) in the Edge browser, Microsoft said that the issue is by design. However, Google and Apple fixed a similar issue in Chrome (CVE-2017-5033) and Safari (CVE-2017-2419), respectively.
According to Cisco Talos researcher:
“A specially crafted web page can cause a content security policy bypass resulting in an information leak. An attacker can create a malicious webpage to trigger this vulnerability. An attacker can bypass the Content-Security-Policy header that is used to make the browser protect against information leakage from a web site.”
The bug exists in the most modern stable version of Microsoft’s Edge browser (40.15063), released in April this year. Microsoft told Cisco the way the browser’s Content Security Policy is set up is by design and there are no plans to patch the issue.