But it also means all sorts of in-browser evil is possible. Norman cites data suggesting 45 per cent of CVEs issued for V8 were related to its JIT engine.
Norman argues that these days JIT doesn't make a massive difference to browser performance. He also points out that the presence of V8's JIT prevents the use of alternative mitigations.
Microsoft is therefore going to try to build what it calls "Super Duper Security Mode" for Edge, by disabling JIT and eventually adding other security mitigations – namely Controlflow-Enforcement Technology (CET) and Arbitrary Code Guard and Control Flow Guard.
"Super Duper Security Mode" is already available. Type
edge://flags/#edge-enable-super-duper-secure-mode into Edge and the browser provides a long list of its security controls so you can see what you'll be missing if you decide to join Microsoft's experiment.
"This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome," Norman wrote. "Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it."
- Google hits undo on Chrome browser alert change that broke websites, web apps
- Developing for Windows 11: Like developing for Windows 10, but with rounded corners?
- Internet Explorer downgraded to 'Walking Dead' status as Microsoft sets date for demise
A more "professional" (read: less goofy) name could be a good thing. Or maybe not.
Despite being baked into over a billion machines running Windows 10 – which includes rather insistent nagware encouraging use of the browser – Edge has just 3.41 per cent market share according to statcounter Global Stats. A fun name like "Super Duper Security Mode" might make more of a difference to users than hard-to-appreciate changes to security plumbing. ®