Microsoft Edge Extensions: New Publish API for more security
The optional Publish API brings four new features for the development of Edge extensions with increased security.
(Image: PopTika / shutterstock.com)
Microsoft has introduced a new Publish API for the development of extensions for its Edge web browser. This is intended to provide functions for increased security and is currently available as an option.
The innovation is part of the Microsoft Secure Future Initiative (SFI). The SFI has been in place since November 2023 with the aim of mitigating or preventing IT security incidents.
Four new security features
As Microsoft explains in a blog post, the Publish API brings four fundamental changes. Firstly, secrets are now API keys: with the help of the Publish API, API keys are automatically created by Microsoft's backend services so that they are generated anew for each developer, just like the ClientID, and therefore increase security as static access data is no longer required. Secondly, API key management is changing: only hashes of API keys are created and deleted in the database so that sensitive information is not stored directly.
Thirdly, the Publish API does not require an access token URL to be sent, but the URL is generated internally –, which reduces the risk of sensitive information becoming visible. Microsoft points out that this may require updating CI/CD pipeline configurations. And finally, the Publish API introduces a fourth innovation: API keys expire after 72 days. Previously, this period was two years. Developers will be regularly warned by email when an API key expires.
Videos by heise
Opt-in to the Publish API
Developers who would like to use the Publish API can set this up in the Partner Center. There, the new API can be activated as an opt-in feature on a voluntary basis. ClientId and Secrets must then be regenerated, which may entail updated authentication workflows. CI/CD pipelines must then be configured if they are affected by the changes to the access token URL and API key.
Due to the increased security, extension developers are called upon to switch to the new API as soon as possible. Further information can be found on the Microsoft Edge blog.
(mai)
