Per-Site Permissions in Edge

Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a simple syntax with limited wildcarding support.

Settings Page’s Site Permissions and Group Policy

Internet Explorer offered around 88 URLAction permissions, but the majority (62) of these settings have no equivalent; for instance, there are a dozen that control various features of ActiveX controls, a technology that does not exist in the new Edge.

Unfortunately, there’s no document mapping the old URLActions to the new equivalents (if any) available within the new Edge. 

When users open chrome://settings/content/siteDetails?site=https://example.com, they’ll find a long list of configuration switches and lists for various permissions. Users rarely use the Settings Page directly, instead making choices using various widgets and toggles in the Page Info dropdown (which appears when you click the lock) or via various prompts or buttons at the right-edge of the address bar/omnibox.

Enterprises can use Group Policy to provision site lists for individual policies that control the browser’s behavior. To find these policies, simply open the Edge Group Policy documentation and search for ForUrls to find the policies that allow and block behavior based on the loaded site’s URL. I recently wrote a post about Chromium’s URL Filter syntax, which doesn’t always work like one might expect. Most of the relevant settings are listed within the Group Policy for Content Settings.

There are also a number of policies whose names contain Default that control the default behavior for a given setting.

Here’s a list of Site Settings with information about their policies and behavior:

As you can see, some of these settings are very obscure (WebSerial, WebMIDI) while others will almost never be changed away from their defaults (Images).

-Eric

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ MSFT '01-'12, and '18-, working on Office, IE, Edge, and Web Protection. My words are my own, I do not speak for any other entity.

4 thoughts on “Per-Site Permissions in Edge

  1. Interesting article ๐Ÿ‘ I came across it while searching for a solution for a problem I recently ran into and could not find anyone else experiencing it let alone have a solution for me.
    I’m currently writing a browser extension using WebSerialAPI. The problem now is, that I’d like to revoke the permission/binding of any given serial port for that extension. While I can do that just fine for a standard URL, whenever I try to revoke it (via edge://settings/content/serialPorts and the trashcan icon next to the respective entry) Edge crashes and does not remove the binding.
    Are these bindigs stored in registry, a config file or somewhere else, where I could remove them somehow else?
    Any feedback would be appreaciated greatly
    Thanks

    1. It would be in the PREFERENCES json file in the Profile folder. Can you share the Uploaded CrashID from edge://crashes

      1. Thanks Eric! That worked ๐Ÿ‘๐Ÿ™
        This would be one of the BuckedIDs from edge://crashes 8011fb6370b38f69a51cc92615e42ae2

  2. Sorry, didn’t copy all of it before.
    Here’s the rest
    {
    “Local ID”: “2e702f60-14cd-48e5-9c1f-377c22e3fa4b”,
    “Upload ID”: “2e702f60-14cd-48e5-9c1f-377c22e3fa4b”,
    “Bucket ID”: “8011fb6370b38f69a51cc92615e42ae2”,
    “Cab ID”: “”,
    “Capture Time”: “Thursday, March 17, 2022 at 2:51:43 PM”,
    “Upload Time”: “Thursday, March 17, 2022 at 2:51:43 PM”,
    “State”: “Reported”,
    “Application Name P1”: “msedge.exe”,
    “Application Version P2”: “99.0.1150.39”,
    “Module Name P3”: “msedge.dll”,
    “Module Version P4”: “99.0.1150.39”,
    “Module Offset P5”: “14519285”,
    “Process Type P6”: “browser”,
    “Sub Code P7”: “0x80000003”,
    “Stack Hash P8”: “0”
    }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: