Starting with the latest test build of Windows 10 Redstone 5 (RS5) Build 17672 which was pushed to the Windows Insiders in the Fast and Skip Ahead rings Microsoft has begun testing of a new feature that introduces support for “same-site cookies” to Microsoft Edge and Internet Explorer 11.
This will prevent cookies from beign sent from the website to external domains either via “strict” attribute or via “lax” attribute. “The former will prevent cookies in all cross-site requests, while the later will effect some less sensitive requests only.”
Historically, sites such as example.com that make “cross-origin” requests to other domains such as microsoft.com have generally caused the browser to send microsoft.com’s cookies as part of the request. Normally, the user benefits by being able to reuse some state (e.g., login state) across sites no matter from where that request originated. Unfortunately, this can be abused, as in CSRF attacks. Same-site cookies are a valuable addition to the defense in depth against CSRF attacks.
More specifically, strict value set with same-site cookie will not be sent to any cross-site request including links clicking from external sites. It’s because, “the logged-in state is stored as a SameSite=Strict cookie, when a user clicks such a link it will initially appear as if the user is not logged in,” Microsoft explained.
On the other hand, SameSite=Lax value with same-site cookie will only prevent cross-origin sub-resource requests, such as images. And, will be sent when navigating from an external site, such as when a link is clicked.
For backward compatibility, Microsoft said browsers that don’t support same-site cookies will continue to use “regular cookie” and the new attribute will be safely ignored.
Even thought it’s not yet a finalized standard and is currently being tested in RS5 development branch, Microsoft adds the feature is already planned to be added to Microsoft Edge and Ineternet Explore 11 on Creators Update and newer builds of Windows 10.
Microsoft also made some improvements to Windows Security Center (WSC) service that now requires “antivirus to be run as a protected process to register.” That said, Microsoft is advising antivirus companies to update their products as without this feature, Windows Defender Antivirus will remain enabled side-by-side with these products. And, their products will not anymore appear in the Windows Security UI.
Antivirus companies can use the following temporary registry key to test their products in Insider builds. The key will be removed once the feature is finalized.
DisableAvCheck (DWORD) = 1
In addition to Build 17672, Microsoft also released a new Windows Server 2019 Insider Preview Build 17666 of the Windows Server vNext Long-Term Servicing Channel (LTSC) release.
This release contains both Desktop Experience and Server Core in all 18 server languages, as well as a new build of the next Windows Server Semi-Annual Channel release.
In this build Microsoft had made improvements to performance history for Storage Spaces Direct cache for reads (% hit rate) and writes (% full) as well as CSV in-menory read cache (% hit rate).
These new series are available per-server and in aggregate.
Also, new cmdlets in this build simplifies management of volumes with delimited allocation. By using Get-StorageScaleUnit you can see fault domains; and follow associations to/from Get-VirtualDisk to see current allocation; set or modify allocation by using friendly names for fault domains.
The Server Core Edition is available in English only, in ISO or VHDX format.
To obtain this build just head over to the Windows Server Insider Preview download page. While, Server Cred Edition is pre-keyed – and needs not to enter a key during setup. The following keys can be use for unlimited activitations of:
Datacenter Edition 6XBNX-4JQGW-QX6QG-74P76-72V67
Standard Edition MFY9F-XBN2F-TYFMP-CCV49-RMYVH
Lastly, a new Windows 10 Preview SDK Build to be used in conjunction with Windows 10 Insider Preview Build 17666 or greater can be downloaded from developer section on Windows Insider.