Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a simple syntax with limited wildcarding support.
Settings Page’s Site Permissions and Group Policy
Internet Explorer offered around 88 URLAction permissions, but the majority (62) of these settings have no equivalent; for instance, there are a dozen that control various features of ActiveX controls, a technology that does not exist in the new Edge.
Unfortunately, there’s no document mapping the old URLActions to the new equivalents (if any) available within the new Edge.
When users open chrome://settings/content/siteDetails?site=https://example.com
, they’ll find a long list of configuration switches and lists for various permissions. Users rarely use the Settings Page directly, instead making choices using various widgets and toggles in the Page Info dropdown (which appears when you click the lock) or via various prompts or buttons at the right-edge of the address bar/omnibox.
Enterprises can use Group Policy to provision site lists for individual policies that control the browser’s behavior. To find these policies, simply open the Edge Group Policy documentation and search for ForUrls
to find the policies that allow and block behavior based on the loaded site’s URL. I recently wrote a post about Chromium’s URL Filter syntax, which doesn’t always work like one might expect. Most of the relevant settings are listed within the Group Policy for Content Settings.
There are also a number of policies whose names contain Default that control the default behavior for a given setting.
Here’s a list of Site Settings with information about their policies and behavior:
- Location ย
No SiteList policy, but it can be controlled entirely via
defaultgeolocationsetting - Camera
No SiteList policy, but it can be controlled entirely via
videocaptureallowedurls - Microphone
No SiteList policy, but it can be controlled entirely viaย audiocaptureallowed - Motion or Light Sensors
- Notifications
DefaultNotificationsSetting, NotificationsAllowedForUrls, NotificationsBlockedForUrls. See also Adaptive Notifications. - JavaScript If you’re especially security-conscious, you could disable JavaScript on all sites except those you manually trust. Managed by the DefaultJavaScriptSetting, JavascriptAllowedforUrls and JavaScriptBlockedforUrls policies.
- Images
defaultimagessetting, imagesallowedforurls - Popups and Redirects “This site may initiate a popup without a signal (such as a user gesture) that such a popup is expected.” Controlled by the popupsallowedforurls and defaultpopupssetting policies.
- Ads You may be surprised to learn that Chrome and Edge have a built-in ad-blocker. It is only capable of blocking ads on a small list of sites which have been flagged by the vendor for “abusive ad use” (site shows intrusive or misleading ads). This setting allows you to exempt ads on sites that have been so flagged. (Sadly) you cannot use this setting to block ads on sites that are not on the abusive ad list.
- Background Sync Web API that allows ServiceWorker applications to perform sync operations in the background.
- Automatic Downloads This is a misleading setting name. Basically, it amounts to “This site may initiate a file download without a signal (such as a user gesture) that such a download is expected.” Presently, there’s no Policy to control this; a site should be architected to avoid triggering this permission. (Note: Presently, there are bugs for downloads from cross-origin frames and also Edge’s IEMode).
- Handlers – Prompting and configuration for the HTML5 RegisterProtocolHandler API. Managed by RegisterProtocolHandlers policy.
- MIDI Devices WebMIDI is a standard for integrating with musical instruments.
- Zoom Levels The browser stores any non-default Zoom level the user has set when visiting the page.
- USB Devices Managed by DefaultWebUSBGuardSetting, WebUsbAllowDevicesForUrls, WebUsbAskForUrlsWebUsbBlockedForUrls
- Serial Ports DefaultSerialGuardSetting
- File Editing
- Cookies Controlled by a bakery full of policies, defaultcookiessetting, cookiesallowedforurls (with a surprising relationship to Auth), cookiesblockedforurls, cookiessessiononlyforurls, blockthirdpartycookies.
- Insecure content By default, the browser will block “active mixed content” (e.g. JavaScript served via HTTP) when embedded on a HTTPS page. The insecurecontentallowedforurls policy allows you to shoot yourself in the foot.
- Your Device Use Allow sites to detect when the device has gone idle or the screen has been locked/unlocked.
As you can see, some of these settings are very obscure (WebSerial, WebMIDI) while others will almost never be changed away from their defaults (Images).
-Eric
Interesting article ๐ I came across it while searching for a solution for a problem I recently ran into and could not find anyone else experiencing it let alone have a solution for me.
I’m currently writing a browser extension using WebSerialAPI. The problem now is, that I’d like to revoke the permission/binding of any given serial port for that extension. While I can do that just fine for a standard URL, whenever I try to revoke it (via edge://settings/content/serialPorts and the trashcan icon next to the respective entry) Edge crashes and does not remove the binding.
Are these bindigs stored in registry, a config file or somewhere else, where I could remove them somehow else?
Any feedback would be appreaciated greatly
Thanks
It would be in the PREFERENCES json file in the Profile folder. Can you share the Uploaded CrashID from edge://crashes
Thanks Eric! That worked ๐๐
This would be one of the BuckedIDs from edge://crashes 8011fb6370b38f69a51cc92615e42ae2
Sorry, didn’t copy all of it before.
Here’s the rest
{
“Local ID”: “2e702f60-14cd-48e5-9c1f-377c22e3fa4b”,
“Upload ID”: “2e702f60-14cd-48e5-9c1f-377c22e3fa4b”,
“Bucket ID”: “8011fb6370b38f69a51cc92615e42ae2”,
“Cab ID”: “”,
“Capture Time”: “Thursday, March 17, 2022 at 2:51:43 PM”,
“Upload Time”: “Thursday, March 17, 2022 at 2:51:43 PM”,
“State”: “Reported”,
“Application Name P1”: “msedge.exe”,
“Application Version P2”: “99.0.1150.39”,
“Module Name P3”: “msedge.dll”,
“Module Version P4”: “99.0.1150.39”,
“Module Offset P5”: “14519285”,
“Process Type P6”: “browser”,
“Sub Code P7”: “0x80000003”,
“Stack Hash P8”: “0”
}