Edge Trusted Sites

Browsers As Decision Makers

Is there a need to move the trusted sites to EDGE? AFAIK Edge and Chrome use the 'Internet Options' from the control panel - which is the options panel from IE. So there is really no move - just install Edge and use the existing settings. Try disconnecting from the VPN temporarily while you download and install Microsoft Edge. Check your trusted sites. If you're using Internet Explorer to download Microsoft Edge, you might need to add officeapps.live.com to your browser's list of trusted sites. In Internet Explorer, select.

  1. Microsoft Edge (Windows 10) Note: Edge doesn't have a Trusted Sites setting at this time. Accepting a blocked pop-up. In Edge, a banner appears along the bottom of the screen when a pop-up has been blocked. Choose Allow once to proceed anyway You can also select Always Allow to always allow pop-ups from that site; Disabling pop-up blocker.
  2. To add a trusted site for Microsoft Edge, follow the steps below. Open the Control Panel. Click or double-click the Internet Options icon. In the Internet Properties window, click the Security tab.
  3. Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources.

As a part of every page load, browsers have to make dozens, hundreds, or even thousands of decisions — should a particular API be available? Should a resource load be permitted? Should script be allowed to run? Should video be allowed to start playing automatically? Should cookies or credentials be sent on network requests? The list is long.

In many cases, decisions are governed by two inputs: a user setting, and the URL of the page for which the decision is being made.

In the old Internet Explorer web platform, each of these decisions was called an URLAction, and the ProcessUrlAction(url, action,…) API allowed the browser or another web client to query its security manager for guidance on how to behave.

To simplify the configuration for the user or their administrator, the legacy platform classified sites into five1 different Security Zones:

  • Local Machine
  • Local Intranet
  • Trusted
  • Internet
  • Restricted

Users could use the Internet Control Panel to assign specific sites to Zones and to configure the permission results for each zone. When making a decision, the browser would first map the execution context (site) to a Zone, then consult the setting for that URLAction for that Zone to decide what to do.

Reasonable defaults like “Automatically satisfy authentication challenges from my Intranet” meant that most users never needed to change any settings away from their defaults.

In corporate or other managed environments, administrators can use Group Policy to assign specific sites to Zones (via “Site to Zone Assignment List” policy) and specify the settings for URLActions on a per-zone basis. This allowed Microsoft IT, for instance, to configure the browser with rules like “Treat https://mail.microsoft.com as a part of my Intranet and allow popups and file downloads without warning messages.

Beyond manual administrative or user assignment of sites to Zones, the platform used additional heuristics that could assign sites to the Local Intranet Zone. In particular, the browser would assign dotless hostnames (e.g. https://payroll) to the Intranet Zone, and if a Proxy Configuration script was used, any sites configured to bypass the proxy would be mapped to the Intranet Zone.

Applications hosting Web Browser Controls, by default, inherit the Windows Zone configuration settings, meaning that changes made for Internet Explorer are inherited by other applications. In relatively rare cases, the host application might supply its own Security Manager and override URL Policy decisions for embedded Web Browser Control instances.

The Trouble with Zones

While powerful and convenient, Zones are simultaneously problematic bug farms:

  • Users might find that their mission critical corporate sites stopped working if their computer’s Group Policy configuration was outdated.
  • Users might manually set configuration options to unsafe values without realizing it.
  • Attempts to automatically provide isolation of cookies and other data by Zone led to unexpected behavior, especially for federated authentication scenarios.

Zone-mapping heuristics are extra problematic

  • A Web Developer working on a site locally might find that it worked fine (Intranet Zone), but failed spectacularly for their users when deployed to production (Internet Zone).
  • Users were often completely flummoxed to find that the same page on a single server behaved very differently depending on how they referred to it — e.g. http://localhost/ (Intranet Zone) vs. http://127.0.0.1/ (Internet Zone).

The fact that proxy configuration scripts can push sites into the Intranet zone proves especially challenging, because:

  • A synchronous API call might need to know what Zone a caller is in, but determining that could, in the worst case, take tens of seconds — the time needed to discover the location of the proxy configuration script, download it, and run the FindProxyForUrl() function within it. This could lead to a hang and unresponsive UI.
  • A site’s Zone can change at runtime without restarting the browser (say, when moving a laptop between home and work networks, or when connecting or disconnecting from a VPN).
  • An IT Department might not realize the implications of returning DIRECT from a proxy configuration script and accidentally map the entire untrusted web into the highly-privileged Intranet Zone. (Microsoft IT accidentally did this circa 2011).
  • Some features like AppContainer Network Isolation are based on firewall configuration and have no inherent relationship to the browser’s Zone settings.

Legacy Edge

The legacy Edge browser (aka Spartan, Edge 18 and below) inherited the Zone architecture from its Internet Explorer predecessor with a few simplifying changes:

  • Windows’ five built-in Zones were collapsed to three: Internet (Internet), the Trusted Zone (Intranet+Trusted), and the Local Computer Zone. The Restricted Zone was removed.
  • Zone to URLAction mappings were hardcoded into the browser, ignoring group policies and settings in the Internet Control Panel.

Use of Zones in Chromium

Chromium goes further and favors making decisions based on explicitly-configured site lists and/or command-line arguments.

Nevertheless, in the interest of expediency, Chromium today uses Windows’ Security Zones by default in two places:

  1. When deciding how to handle File Downloads, and
  2. When deciding whether or not to release Windows Integrated Authentication (Kerberos/NTLM) credentials automatically.

For the first one, if you’ve configured the setting Launching applications and unsafe files to Disable in your Internet Control Panel’s Security tab, Chromium will block file downloads with a note: “Couldn’t download – Blocked.”

For the second, Chromium will process URLACTION_CREDENTIALS_USE to decide whether Windows Integrated Authentication is used automatically, or the user should instead see a manual authentication prompt. (Aside: the manual authentication prompt is really a bit of a mistake– the browser should instead just show a prompt: “Would you like to [Send Credentials] or [Stay Anonymous]” dialog box, rather than forcing the user to reenter the credentials that Windows already has.

Even Limited Use is Controversial

Respect for Zones2 in Chromium remains controversial—the Chrome team has launched and abandoned plans to remove them a few times, but ultimately given up under the weight of enterprise compat concerns. Their arguments for complete removal include:

  1. Zones are poorly documented, and Windows Zone behavior is poorly understood.
  2. The performance/deadlock risks mentioned earlier (Intranet Zone mappings can come from a system-discovered proxy script).
  3. Zones are Windows-only (meaning they prevent drop-in replacement of ChromeOS).

Note: By configuring an explicit site list policy for Windows Authentication, an administrator disables the browser’s URLACTION_CREDENTIALS_USE check, so Zones Policy is not consulted. A similar option is not presently available for Downloads.

Zones in the New Edge

Beyond the two usages of Zones inherited from upstream, the new Chromium-based Edge browser (v79+) adds one more:

  1. Administrators can configure Internet Explorer Mode to open all Intranet sites in IEMode. Those IEMode tabs are really running Internet Explorer, and they use Zones for everything that IE did.

Update: This is very much a corner case, but I’ll mention it anyway. On downlevel operating systems (Windows 7/8/8.1), logging into the browser for sync makes use of a Windows dialog box that contains a Web Browser Control (based on MSHTML) that loads the login page. If you adjust your Windows Security Zones settings to block JavaScript from running in the Internet Zone, you will find that you’re unable to log into the new browser. Oops.

Downsides/Limitations

While it’s somewhat liberating that we’ve moved away from the bug farm of Security Zones, it also gives us one less tool to make things convenient or compatible for our users and IT admins.

We’ve already heard from some customers that they’d like to have a different security and privacy posture for sites on their Intranet, with behavior like:

  • Disable the Tracking Prevention, “Block 3rd party cookie”, and other privacy-related controls for the Intranet (like IE/Edge did).
  • Allow navigation to file:// URIs from the Intranet (like IE/Edge did)
  • Disable “HTTP and mixed content are unsafe” and “TLS/1.0 and TLS/1.1 are deprecated” nags.
  • Skip SmartScreen checks for the Intranet.
  • Allow ClickOnce/DirectInvoke/Auto-opening Downloads from the Intranet without a prompt. Previously, Edge (Spartan)/IE respected the FTA_OpenIsSafe bit in the EditFlags for the application.manifest progid if-and-only-if the download source was in the Intranet/Trusted Sites Zone.
  • Allow launching application protocols from the Intranet without a prompt.
  • Drop all Referers when navigating from the Intranet to the Internet; leave Referers alone when browsing the Intranet.
  • Internet Explorer and legacy Edge will automatically send your client certificate to Intranet sites that ask for it. The AutoSelectCertificateForUrls policy permits Edge to send a client certificate to specified sites without a prompt, but this policy requires the administrator to manually list the sites.
  • Block all (or most) extensions from touching Intranet pages to reduce the threat of data leaks.
  • Guide all Intranet navigations into an appropriate profile or container (a la Detangle).
  • Upstream, there’s alongstanding desire to help protect intranets/local machine from cross-site-request-forgery attacks; blocking loads and navigations of private resources from the Internet Zone is somewhat simpler than blocking them from Intranet Sites.

At present, only AutoSelectCertificateForUrls, manual cookie controls, and mixed content nags support policy-pushed site lists, but their list syntax doesn’t have any concept of “Intranet” (dotless hosts, hosts that bypass proxy).

Edge

You’ll notice that each of these has potential security impact (e.g. an XSS on a privileged “Intranet” page becomes more dangerous; unqualified hostnames can result in name collisions), but having the ability to scope some features to only “Intranet” sites might also improve security by reducing attack surface.

As browser designers, we must weigh the enterprise impact of every change we make, and being able to say “This won’t apply to your intranet if you don’t want it to” would be very liberating. Unfortunately, building such an escape hatch is also the recipe for accumulating technical debt and permitting the corporate intranets to “rust” to the point that they barely resemble the modern public web.

Best Practices

Throughout Chromium, many features are designed respect an individual policy-pushed list of sites to control their behavior. If you were forward-thinking enough to structure your intranet such that your hostnames are of the form:

Congratulations, you’ve lucked into a best practice. You can configure each desired policy with a *.contoso-intranet.com entry and your entire Intranet will be opted in.

Unfortunately, while wildcards are supported, there’s presently no way (as far as I can tell) to express the concept of “any dotless hostname.”

Why is that unfortunate? For over twenty years, Internet Explorer and legacy Edge mapped domain names like https://payroll, https://timecard, and https://sharepoint/ to the Intranet Zone by default. As a result, many smaller companies have benefitted from this simple heuristic that requires no configuration changes by the user or the IT department.

Opportunity: Maybe such a DOTLESS_HOSTS token should exist in the Chromium policy syntax. TODO: figure out if this is worth doing.

Summary

  • Internet Explorer and Legacy Edge use a system of five Zones and 88+ URLActions to make security decisions for web content, based on the host of a target site.
  • Chromium (New Edge, Chrome) uses a system of Site Lists and permission checks to make security decisions for web content, based on the host of a target site.

There does not exist an exact mapping between these two systems, which exist for similar reasons but implemented using very different mechanisms.

In general, users should expect to be able to use the new Edge without configuring anything; many of the URLActions that were exposed by IE/Spartan have no logical equivalent in modern browsers.

If the new Edge browser does not behave in the desired way for some customer scenario, then we must examine the details of what isn’t working as desired to determine whether there exists a setting (e.g. a Group Policy-pushed SiteList) that provides the desired experience.

-Eric

1 Technically, it was possible for an administrator to create “Custom Security Zones” (with increasing ZoneIds starting at #5), but such a configuration has not been officially supported for at least fifteen years, and it’s been a periodic source of never-to-be-fixed bugs.

2 Beyond those explicit uses of Windows’ Zone Manager, various components in Chromium have special handling for localhost/loopback addresses, and some have special recognition of RFC1918 private IP Address ranges (e.g. SafeBrowsing handling) and Network Quality Estimation.
Within Edge, the EMIE List is another mechanism by which sites’ hostnames may result in different handling.

-->

Note

You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the Microsoft Edge documentation landing page.

Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes.

Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system.

The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components.

For more details on the security features in Microsoft Edge, see Help protect against web-based security threats below.

You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:

Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Edge

Configure cookies

Edge trusted sites

Supported versions: Microsoft Edge on Windows 10
Default setting: Disabled or not configured (Allow all cookies from all sites)

Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.

Supported values

Group PolicyMDMRegistryDescriptionMost restricted
Enabled00Block all cookies from all sites.
Enabled11Block only cookies from third party websites.
Disabled or not configured
(default)
22Allow all cookies from all sites.

ADMX info and settings

ADMX info

  • GP English name: Configure cookies
  • GP name: Cookies
  • GP element: CookiesListBox
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx

MDM settings

  • MDM name: Browser/AllowCookies
  • Supported devices: Desktop and Mobile
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/AllowCookies
  • Data type: Integer

Registry settings

  • Path: HKLMSoftwarePoliciesMicrosoftMicrosoftEdgeMain
  • Value name: Cookies
  • Value type: REG_DWORD

Configure Password Manager

Supported versions: Microsoft Edge on Windows 10
Default setting: Enabled (Allowed/users can change the setting)

By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager.

Supported values

Edge trusted sites windows 10
Group PolicyMDMRegistryDescriptionMost restricted
Not configuredBlankBlankUsers can choose to save and manage passwords locally.
Disabled0noNot allowed.
Enabled
(default)
1yesAllowed.

Verify not allowed/disabled settings:

  1. Click or tap More (…) and select Settings > View Advanced settings.
  2. Verify the settings Save Password is toggled off or on and is greyed out.

ADMX info and settings

ADMX info

  • GP English name: Configure Password Manager
  • GP name: AllowPasswordManager
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx

MDM settings

  • MDM name: Browser/AllowPasswordManager
  • Supported devices: Desktop and Mobile
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager
  • Data type: Integer

Registry settings

  • Path: HKLMSoftwarePoliciesMicrosoftMicrosoftEdgeMain
  • Value name: FormSuggest Passwords
  • Value type: REG_SZ

Configure Windows Defender SmartScreen

Supported versions: Microsoft Edge on Windows 10
Default setting: Enabled (Turned on)

Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off.

Supported values

Group PolicyMDMRegistryDescriptionMost restricted
Not configuredBlankBlankUsers can choose to use Windows Defender SmartScreen.
Disabled00Turned off. Do not protect users from potential threats and prevent users from turning it on.
Enabled11Turned on. Protect users from potential threats and prevent users from turning it off.

To verify Windows Defender SmartScreen is turned off (disabled):

  1. Click or tap More (…) and select Settings > View Advanced settings.
  2. Verify the setting Help protect me from malicious sites and download with Windows Defender SmartScreen is disabled.

ADMX info and settings

ADMX info

  • GP English name: Configure Windows Defender SmartScreen
  • GP name: AllowSmartScreen
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx

MDM settings

  • MDM name: Browser/AllowSmartScreen
  • Supported devices: Desktop and Mobile
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
  • Data type: Integer

Registry settings

  • Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgePhishingFilter
  • Value name: EnabledV9
  • Value type: REG_DWORD

Prevent bypassing Windows Defender SmartScreen prompts for files

Supported versions: Microsoft Edge on Windows 10, version 1511 or later
Default setting: Disabled or not configured (Allowed/turned off)

By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s).

Supported values

Group PolicyMDMRegistryDescriptionMost restricted
Disabled or not configured
(default)
00Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s).
Enabled11Prevented/turned on.

ADMX info and settings

ADMX info

  • GP English name: Prevent bypassing Windows Defender SmartScreen prompts for files
  • GP name: PreventSmartScreenPromptOverrideForFiles
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx

MDM settings

  • MDM name: Browser/PreventSmartScreenPromptOverrideForFiles
  • Supported devices: Desktop and Mobile
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
  • Data type: Integer

Registry settings

  • Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgePhishingFilter
  • Value name: PreventOverrideAppRepUnknown
  • Value type: REG_DWORD

Prevent bypassing Windows Defender SmartScreen prompts for sites

Supported versions: Microsoft Edge on Windows 10, version 1511 or later
Default setting: Disabled or not configured (Allowed/turned off)

By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site.

Supported values

Group PolicyMDMRegistryDescriptionMost restricted
Disabled or not configured
(default)
00Allowed/turned off. Users can ignore the warning and continue to the site.
Enabled11Prevented/turned on.

ADMX info and settings

ADMX info

  • GP English name: Prevent bypassing Windows Defender SmartScreen prompts for sites
  • GP name: PreventSmartscreenPromptOverride
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx
Edge Trusted Sites

MDM settings

  • MDM name: Browser/PreventSmartscreenPromptOverride
  • Supported devices: Desktop and Mobile
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
  • Data type: Integer

Registry settings

  • Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgePhishingFilter
  • Value name: PreventOverride
  • Value type: REG_DWORD

Prevent certificate error overrides

Supported versions: Microsoft Edge on Windows 10, version 1809
Default setting: Disabled or not configured (Allowed/turned off)

Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.

Group PolicyMDMRegistryDescriptionMost restricted
Disabled or not configured
(default)
00Allowed/turned on. Override the security warning to sites that have SSL errors.
Enabled11Prevented/turned on.

ADMX info and settings

ADMX info

  • GP English name: Prevent certificate error overrides
  • GP name: PreventCertErrorOverrides
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx

MDM settings

  • MDM name: Browser/PreventCertErrorOverrides
  • Supported devices: Desktop and Mobile
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides
  • Data type: Integer

Registry settings

  • Path: HKLMSoftwarePoliciesMicrosoftMicrosoftEdgeInternet Setting
  • Value name: PreventCertErrorOverrides
  • Value type: REG_DWORD

Prevent using Localhost IP address for WebRTC

Supported versions: Microsoft Edge on Windows 10, version 1511 or later
Default setting: Disabled or not configured (Allowed/show localhost IP addresses)

By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses.

Supported values

Group PolicyMDMRegistryDescriptionMost restricted
Disabled or not configured
(default)
00Allowed. Show localhost IP addresses.
Enabled11Prevented.

ADMX info and settings

ADMX info

  • GP English name: Prevent using Localhost IP address for WebRTC
  • GP name: HideLocalHostIPAddress
  • GP path: Windows Components/Microsoft Edge
  • GP ADMX file name: MicrosoftEdge.admx

MDM settings

  • MDM name: Browser/PreventUsingLocalHostIPAddressForWebRTC
  • Supported devices: Desktop
  • URI full path: ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC
  • Data type: Integer

Registry settings

  • Path: HKLMSOFTWAREPoliciesMicrosoftMicrosoftEdgeMain
  • Value name: HideLocalHostIPAddress
  • Value type: REG_DWORD

Help protect against web-based security threats

Add Trusted Sites To Windows 10

While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats.

Thieves use things like phishing attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference.

Edge Trusted Sites

Another method thieves often use hacking to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device.

Edge Add Website To Trusted Sites List

Microsoft Edge addresses these threats to help make browsing the web a safer experience.

FeatureDescription
Windows HelloMicrosoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the Web Authentication (formerly FIDO 2.0 Web API) specification.
Microsoft SmartScreenDefends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites.
Certificate Reputation systemCollects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include
  • Certificate Reputation system: Protects users from fraudulent certificates.
  • Bing Webmaster Tools (for developers): Reports fake certificates directly to Microsoft.
Microsoft EdgeHTML and modern web standardsMicrosoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:
  • Support for the W3C standard for Content Security Policy (CSP), which can help web developers defend their sites against cross-site scripting attacks.
  • Support for the HTTP Strict Transport Security (HSTS) security feature (IETF-standard compliant). HSTS helps ensure that connections to important sites, such as to your bank, are always secured.

NOTE: Both Microsoft Edge and Internet Explorer 11 support HSTS.

Code integrity and image loading restrictionsMicrosoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only properly signed images are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load.
Memory corruption mitigationsMemory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially use-after-free (UAF) vulnerabilities.
Memory Garbage Collector (MemGC) mitigationMemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory.
Control Flow GuardAttackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps.
All web content runs in an app container sandboxMicrosoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure.
Extension model and HTML5 supportMicrosoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the Microsoft Edge Developer Center.
Reduced attack surfacesMicrosoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and document modes. Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List.