Add browser compatibility guidelines and review instructions for msal-browser (#8525)

This pull request introduces comprehensive documentation and review
process improvements focused on browser compatibility, privacy risks,
and the handling of browser Web APIs in the `msal-browser` library. The
changes add a detailed compatibility map, new review instructions, and
update existing documentation to ensure that all browser API usage is
tracked, reviewed, and communicated clearly to both developers and
reviewers.

**Key changes include:**

### Browser Compatibility Documentation and Review Process

* Added a new, detailed browser compatibility review instruction file
(`.github/instructions/browser_compat.instructions.md`) that provides a
checklist for reviewing changes to browser Web API usage, including
privacy risks, fallback requirements, and cross-browser restrictions.
* Introduced a comprehensive "Browser Compatibility Map"
(`lib/msal-browser/docs/browser-compat-map.md`) documenting all browser
APIs used by MSAL, their restrictions across browsers and privacy modes,
and upcoming changes in browser beta channels. This serves as a central
reference for reviewers and is to be updated with every new or changed
API dependency.

### Integration with Review Workflows

* Updated the doc review instructions to require updating the
compatibility map whenever browser Web API usage is introduced, removed,
or changed, ensuring documentation stays current with code changes.
* Enhanced the agent guidelines (`AGENTS.md`) to reference the new
compatibility map and review checklist, clarifying when and how browser
compatibility should be checked during PR review.

### Security and Privacy Best Practices

* Strengthened the security guidance in the redirect bridge
documentation to explicitly prohibit hosting the bridge or its assets on
third-party CDNs or origins, require `Cache-Control: no-store`, and
explain privacy risks in Safari Private Browsing and similar modes.

These changes together ensure that MSAL's browser compatibility and
privacy risks are systematically tracked, reviewed, and documented,
reducing the likelihood of subtle breakages or security regressions
across browsers and privacy modes.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: konstantin-msft

.github/instructions/browser_compat.instructions.md

@@ -0,0 +1,22 @@
+---
+description: "Use when reviewing or modifying msal-browser source code that introduces, changes, or removes browser Web API usage."
+applyTo: "**/lib/msal-browser/src/**"
+---
+
+# Browser Compatibility Review
+
+When a change to `lib/msal-browser/src/` introduces, modifies, or removes a browser Web API call, review the [Browser Compatibility Map](../../lib/msal-browser/docs/browser-compat-map.md) for MSAL-specific restrictions and flow dependencies.
+
+## Review steps
+
+1. **Cross-reference the compatibility map** — check which auth flows depend on the affected API, known restrictions, and whether a fallback exists.
+2. **New API not in the map** — verify support on MDN/Can I Use (Chrome, Edge, Firefox, Safari desktop+iOS, Chrome Android). Check Private Browsing behavior and storage-partitioning impact. Request the map be updated.
+3. **Validate fallback paths** — confirm `try/catch` or feature-detection guards exist for APIs with known restrictions. If no fallback exists on a critical path, flag for discussion.
+4. **Check CSP/COOP/framing** — iframe changes need `frame-src`/sandbox review; popup changes need COOP consideration; `fetch()`/form-submit changes need `connect-src`/`form-action` review.
+5. **Check beta channel risks** — see the "Upcoming Changes" section of the map for pending browser changes affecting the touched API.
+
+## What to flag
+
+- **Must fix**: API unavailable in a supported browser/mode with no fallback or `try/catch`
+- **Discuss**: Critical-path API with known restrictions in beta channels
+- **Informational**: Well-supported new API that should be added to the compatibility map

.github/instructions/doc_review.instructions.md

@@ -33,6 +33,7 @@ Each library has its own `docs/` directory. When reviewing changes, look for the
 
 - Changes affected by browser security policies (COOP, COEP, storage partitioning, iframe sandboxing) → update `lib/msal-browser/docs/redirect-bridge.md`, `lib/msal-browser/docs/iframe-usage.md`
 - Changes to cross-origin or cross-window communication → update relevant flow docs and known limitations
+- Browser API changes: If the change introduces, removes, or modifies usage of a browser Web API (`sessionStorage`, `localStorage`, `IndexedDB`, `BroadcastChannel`, `crypto.subtle`, `window.open`, hidden iframes, `fetch`, `document.cookie`, form submission, etc.), update `lib/msal-browser/docs/browser-compat-map.md` with the new or changed API entry, known restrictions, and fallback behavior
 
 ### Migration impact
 

AGENTS.md

@@ -50,3 +50,9 @@ When a commit deletes, renames, or moves files and directories (especially sampl
 - Anchor references (`#heading-name`) if headings were changed
 
 Update or remove stale links introduced or exposed by the current change before merging. For a full repo-wide audit, use the `/doc-audit` prompt (`.github/prompts/doc-audit.prompt.md`). Follow guidelines listed at `.github/instructions/doc_links.instructions.md`.
+
+### Browser Compatibility
+
+Changes to `lib/msal-browser/src/` that introduce, modify, or remove browser Web API usage should be checked against the [Browser Compatibility Map](lib/msal-browser/docs/browser-compat-map.md). The compatibility map catalogs every browser API that MSAL depends on, known restrictions across browsers and privacy modes (Safari Private Browsing, Chrome storage partitioning, Firefox ETP), and upcoming browser changes in beta channels.
+
+The `.github/instructions/browser_compat.instructions.md` instruction is automatically loaded for changes under `lib/msal-browser/src/` and provides a review checklist for identifying compatibility risks.

lib/msal-browser/docs/browser-compat-map.md

@@ -0,0 +1,122 @@
+# Browser Compatibility Map for MSAL Browser
+
+This document catalogs browser Web APIs that MSAL Browser depends on, their role in authentication flows, MSAL's fallback behavior, and known MSAL-specific restrictions. For general browser support data, refer to [MDN Web Docs](https://developer.mozilla.org/).
+
+> **Maintenance:** Update this file when a new browser API dependency is introduced or a browser change is discovered that affects MSAL flows.
+
+## API Dependencies
+
+### Storage
+
+| API | MSAL Usage | Fallback |
+|-----|-----------|----------|
+| `sessionStorage` | Interaction status, PKCE verifier, redirect origin URL, redirect bridge response cache | `MemoryStorage` (response lost on navigation) |
+| `localStorage` | Persistent token cache (when `cacheLocation: "localStorage"`) | None if configured; not used by default |
+| `IndexedDB` | PoP token RSA keypairs | In-memory (keys lost on reload) |
+| `document.cookie` | Encryption key for localStorage cache | None — cache cannot be decrypted without it |
+
+**MSAL-specific restrictions:**
+- Safari PB: `sessionStorage.setItem()` immediately before `location.replace()` may lose data — affects redirect bridge (`handleRedirectPromise` returns `null`)
+- Safari ITP: 7-day cap on script-writable `localStorage`/cookies — tokens evicted without user interaction
+- Firefox PB: `indexedDB.open()` throws `SecurityError` — PoP falls back to memory
+- Chrome 115+ / Safari 16.1+: storage partitioned in cross-origin iframes — affects NAA and embedded apps
+
+### Crypto
+
+All `crypto.subtle` methods require HTTPS (secure context). On HTTP origins, `crypto.subtle` is `undefined`.
+
+| API | MSAL Usage | Fallback |
+|-----|-----------|----------|
+| `crypto.subtle.digest()` | PKCE `code_challenge` (SHA-256) | None — PKCE is mandatory |
+| `crypto.getRandomValues()` | PKCE verifier, state, nonce, correlation IDs | None |
+| `crypto.subtle.generateKey()` | PoP RSA keypairs, EAR AES keys | None for PoP/EAR |
+| `crypto.subtle.importKey()` | PoP signing, EAR decryption, localStorage encryption (HKDF → AES-GCM) | None |
+| `crypto.subtle.sign()` | PoP token signing | None |
+| `crypto.subtle.decrypt()` | EAR response decryption, localStorage decryption | None |
+| `crypto.subtle.deriveKey()` | HKDF key derivation for localStorage encryption | None |
+
+**MSAL-specific restriction:** `deriveKey()` with HKDF as base key requires Firefox 119+.
+
+### Messaging
+
+| API | MSAL Usage | Fallback |
+|-----|-----------|----------|
+| `BroadcastChannel` | Redirect bridge (popup/iframe → main frame), cross-tab cache sync | None for redirect bridge |
+| `postMessage` + `MessageChannel` | WAM browser extension communication | None for WAM path |
+
+**MSAL-specific restrictions:**
+- Chrome 115+ / Firefox TCP: `BroadcastChannel` partitioned by top-level site — breaks cross-origin iframe ↔ popup communication
+- Safari PB: cross-tab channels do not persist
+
+### Navigation & Window
+
+| API | MSAL Usage | Fallback |
+|-----|-----------|----------|
+| `window.location.assign()` / `.replace()` | Navigate to IdP | None |
+| `window.location.hash` / `.search` | Extract auth response from redirect URL | None |
+| `window.history.replaceState()` | Clean auth params from URL | Graceful no-op (URL stays dirty) |
+| `pageshow` event | Detect bfcache restoration to clear stale interaction state | Graceful — may cause `interaction_in_progress` error |
+| `window.open()` | Popup auth flows | None for popup |
+| Hidden iframe | Silent token renewal (`ssoSilent`, `acquireTokenSilent` fallback) | None for silent renewal |
+| `window.close()` | Close popup after auth | Graceful — popup stays open |
+
+**MSAL-specific restrictions:**
+- `window.open()` must be in a user-gesture call stack or browsers block it
+- COOP `same-origin` on AAD severs `window.opener` in popups — redirect bridge mitigates
+- Silent iframe requires IdP to allow framing and 3P cookies to be available; breaks under Safari ITP, Firefox TCP, and Chrome with 3P cookies disabled
+- Office.js sets `history.replaceState` to `null` — MSAL guards with `typeof` check
+
+### Network & DOM
+
+| API | MSAL Usage | Fallback |
+|-----|-----------|----------|
+| `fetch()` | All HTTP requests (token endpoint, discovery, custom auth) | None |
+| `TextEncoder` / `TextDecoder` | String ↔ binary for crypto | None |
+| `atob()` / `btoa()` | Base64 for JWK and token parsing | None |
+| Hidden form + `form.submit()` | POST-based `/authorize` (EAR, redirect POST, silent iframe POST) | None for POST flows |
+| `<link rel="preconnect">` | Early DNS/TLS to authority domain | Graceful — just slower |
+
+**MSAL-specific restrictions:**
+- CSP `connect-src` must allow authority/token endpoint domains
+- CSP `form-action` must allow authority domain for POST flows
+- CSP `frame-src` must allow authority domain for silent iframe
+
+## Privacy Restrictions Affecting MSAL
+
+| Restriction | Affected Browsers | Impact on MSAL |
+|-------------|-------------------|----------------|
+| 3P cookie blocking | Safari (ITP), Firefox (TCP), Chrome (user setting/Incognito) | Silent iframe renewal fails |
+| Storage partitioning in iframes | Chrome 115+, Safari 16.1+, Firefox TCP | `BroadcastChannel`/storage isolated — breaks embedded app scenarios |
+| Script-writable storage 7-day cap | Safari ITP | `localStorage` tokens evicted; cookie-based encryption key lost |
+| Private Browsing ephemeral storage | Safari, Firefox, Chrome | Tokens lost on tab close; IndexedDB blocked in Firefox PB |
+| Tracker domain blocking (Safari 17+ PB) | Safari | CDN-hosted redirect bridge scripts may fail to load |
+
+## Upcoming Changes
+
+| Change | Status | MSAL Impact |
+|--------|--------|-------------|
+| Chrome Storage Access API | Shipping | Potential fallback for 3P-cookie-blocked iframe renewal |
+| Safari tracking domain list expansion | Ongoing | More CDN domains may be blocked in PB |
+| Firefox `BroadcastChannel` partitioned under TCP | Active (Firefox 102+) | Breaks cross-origin iframe ↔ popup channel |
+| Platform authentication proposal | Early proposal | May enable native broker without extension |
+
+## API-to-Flow Matrix
+
+| API | `loginRedirect` | `loginPopup` | `ssoSilent` | `acquireTokenSilent` | NAA | WAM |
+|-----|:-:|:-:|:-:|:-:|:-:|:-:|
+| `sessionStorage` | ✅ | | | | | |
+| `localStorage` | ○ | ○ | ○ | ○ | | |
+| `IndexedDB` | ○ | ○ | ○ | ○ | | |
+| `BroadcastChannel` | ¹ | ✅ | ✅ | ✅² | | |
+| `window.open()` | | ✅ | | | | |
+| Hidden iframe | | | ✅ | ✅² | | |
+| `crypto.subtle` | ✅ | ✅ | ✅ | ✅ | | |
+| `fetch()` | ✅ | ✅ | ✅ | ✅ | | ✅ |
+| `postMessage` | | | | | ✅ | ✅ |
+| Form submit (POST) | ○ | ○ | ○ | | | |
+| Cookies | ○ | ○ | ³ | ³ | | |
+
+- ✅ = required | ○ = optional/configurable
+- ¹ redirect bridge popup/iframe only (not direct redirect)
+- ² when refresh token expired and MSAL falls back to hidden iframe
+- ³ IdP session cookie required in iframe; MSAL's own cookie for localStorage encryption only