Taggart Nov 26

Okay I get why this change sounds great, but I'm pretty sure a consequence is that password managers will no longer autofill on Entra sign-in pages. That will likely lead to weaker credentials or weaker storage of them. That feels like a net loss.

UPDATE: All's well, mostly. Because of the way that extension-based password managers add their content, they should be exempted from this policy. Basically, if they don't add inline scripts, they're golden. KeePassXC and Bitwarden do not; I presume 1Password does not either. Sorry for the false alarm.

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/enhance-protection-of-microsoft-entra-id-authentication-by-blocking-external-scr/4435200

Enhance protection of Microsoft Entra ID authentication by blocking external script injection | Microsoft Community Hub

Microsoft is further enhancing security of the Microsoft Entra ID authentication experience by blocking external script injection. [Action may be required]

TECHCOMMUNITY.MICROSOFT.COM
Show threadEragonNov 26
@mttaggart Isn't the extension code authorized anyway by the browser?!
Show threadTaggart Nov 26
@eragon The site decides the Content Security Policy and absolutely can prevent extension code from messing with it.
Show threadEragon
@mttaggart Yeah but that is ultimately enforced by the browser.
The browser can ignore the CSP or modify it.
Surely this can be done.
Nov 26 at 3:30pmWeb