Last year, I wrote about how the new Microsoft Edge browser mostly ignores Security Zones (except in very rare circumstances) to configure security and permissions decisions. Instead, in Chromium per-site permissions are controlled by settings and policies expressed using a simple syntax with limited wildcarding support.
Settings Page’s Site Permissions and Group Policy
Internet Explorer offered around 88 URLAction permissions, but the majority (62) of these settings have no equivalent; for instance, there are a dozen that control various features of ActiveX controls, a technology that does not exist in the new Edge.
Unfortunately, there’s no document mapping the old URLActions to the new equivalents (if any) available within the new Edge.
When users open chrome://settings/content/siteDetails?site=https://example.com, they’ll find a long list of configuration switches and lists for various permissions. Users rarely use the Settings Page directly, instead making choices using various widgets and toggles in the Page Info dropdown (which appears when you click the lock) or via various prompts or buttons at the right-edge of the address bar/omnibox.
Enterprises can use Group Policy to provision site lists for individual policies that control the browser’s behavior. To find these policies, simply open the Edge Group Policy documentation and search for ForUrls to find the policies that allow and block behavior based on the loaded site’s URL. I recently wrote a post about Chromium’s URL Filter syntax, which doesn’t always work like one might expect. Most of the relevant settings are listed within the Group Policy for Content Settings.
There are also a number of policies whose names contain Default that control the default behavior for a given setting.
Here’s a list of Site Settings with information about their policies and behavior:
- Location
No SiteList policy, but it can be controlled entirely via
defaultgeolocationsetting - Camera
No SiteList policy, but it can be controlled entirely via
videocaptureallowedurls - Microphone
No SiteList policy, but it can be controlled entirely via audiocaptureallowed - Motion or Light Sensors
- Notifications
DefaultNotificationsSetting - JavaScript If you’re especially security-conscious, you could disable JavaScript on all sites except those you manually trust. Managed by the defaultJavaScriptSetting, JavascriptAllowedforUrls and JavaScriptBlockedforUrls policies.
- Images
defaultimagessetting, imagesallowedforurls - Popups and Redirects “This site may initiate a popup without a signal (such as a user gesture) that such a popup is expected.” Controlled by the popupsallowedforurls and defaultpopupssetting policies.
- Ads You may be surprised to learn that Chrome and Edge have a built-in ad-blocker. It is only capable of blocking ads on a small list of sites which have been flagged by the vendor for “abusive ad use” (site shows intrusive or misleading ads). This setting allows you to exempt ads on sites that have been so flagged. (Sadly) you cannot use this setting to block ads on sites that are not on the abusive ad list.
- Background Sync
- Automatic Downloads This is a misleading setting name. Basically, it amounts to “This site may initiate a file download without a signal (such as a user gesture) that such a download is expected.”
- Handlers – Prompting and configuration for the HTML5 RegisterProtocolHandler API. Managed by RegisterProtocolHandlers policy.
- MIDI Devices WebMIDI is a standard for integrating with musical instruments.
- Zoom Levels
- USB Devices Managed by DefaultWebUSBGuardSetting, WebUsbAllowDevicesForUrls, WebUsbAskForUrlsWebUsbBlockedForUrls
- Serial Ports DefaultSerialGuardSetting
- File Editing
- Cookies Controlled by a bakery full of policies, defaultcookiessetting, cookiesallowedforurls (with a surprising relationship to Auth), cookiesblockedforurls, cookiessessiononlyforurls, blockthirdpartycookies.
- Insecure content By default, the browser will block “active mixed content” (e.g. JavaScript served via HTTP) when embedded on a HTTPS page. The insecurecontentallowedforurls policy allows you to shoot yourself in the foot.
- Your Device Use I have no idea what this is.
As you can see, some of these settings are very obscure (WebSerial, WebMIDI) while others will almost never be changed away from their defaults (Images).
-Eric
Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ MSFT '01-'12, and '18-, presently working on Microsoft Edge. My words are my own. View more posts