> [The New Tab Page] is actually a higher privileged page.
This combination sounds risky no matter how you slice it. Amongst other things, your user's browser security now depends on the security of your user facing web site.
This applies to Firefox also unfortunately...
I originally looked at Edge as a very secure browser choice until I realized Microsoft's zeal for ad revenue meant it literally came with malicious links built-in.
Text: "A browser that's 200% faster than Chrome". It's an ad for Brave.
Back in the IE5 days they had similar bugs in res:// (DLL resource) pages, running in the then-highly-privileged My Computer Zone. Took years of reporting the same kind of crap before they finally deprivileged it.
New browser, new code base, new devs... all the old bugs are new again.
1. Why don't chrome:// pages have at least basic CSP setup to mitigate XSS?
2. Why isn't Microsoft using some sort of framework which abstracts them from direct DOM access?
This bug I see in Chromium based Edge looks like anyone could stumble across it, is far simpler, and smells like a lot less effort went into secure architecture design.
In Mithril, for example, injecting raw HTML requires you to explicitly call the trust method, so doing it wrong is more work than doing it right, and the documentation is very clear about the risks of trusting data.
In Thymeleaf, displaying text uses th-text, injecting raw HTML uses th-utext and the documentation in clear on the difference, but this seems a bit more subtle and easy to miss for those who aren't familiar with the consequences.
Microsoft's ASP.NET, from what I can tell, used to do it the PHP-style wrong-by-default way, relying on developers' unfailing vigilance in remembering to call Html.Encode every single time they display a value if they wanted to avoid XSS, but in version 4 syntax was added for displaying values as text by default. Their newer Razor templating library apparently also does the right thing.
So... maybe these pages were created in old-style ASP.NET? Or have newer libraries recreated the mistakes of the past?
IIRC Chrome used to use https://www.google.com/_/chrome/newtab as its ntp.