|Originally deployed in
|Latest update deployed in
|Latest update includes
|Site and organization mitigation to choosing which trackers to block.
|Customizable settings to:
Edge uses Trust Protection Lists to classify the domains that are recognized as having cross-site tracking capabilities, or are otherwise harmful to the site. This list is derived from Disconnect.me, similar to Firefox’s approach.
Edge restricts storage access to and/or blocks resources loaded from the following Disconnect.me categories:
The chart below shows the level of blocking for each category. Balanced is the default level of tracking prevention in the browser.
S means that storage access is restricted for domains falling under the given category.
B means that all resources are blocked for domains falling under the given category.
To prevent storage access and resource blocking from breaking user experience, Edge has introduced some mitigations to how cross-site tracking prevention works.
If two domains are owned and operated by the same company, Edge introduces a mitigation where tracking prevention is relaxed when one such domain requests resources from the other.
www.company-cdn.com are different domains, but they are registered by the same company, and Edge recognizes them as belonging to the same organization. Thus, even if Edge’s Trust Protection Lists have identified
www.company-cdn.com as a tracking domain, access to it from
www.company-domain.com would not be restricted.
Edge introduced the Site engagement score from the Chromium project as a further mitigation to accessing resources on classified domains.
Activities that improve the site engagement score are:
The site engagement score is calculated as a double value between 0-100.
Engagement scores are keyed by origin (so
www.domain.com would have a different engagement score from
sub.domain.com), and engagement scores are cleared with browser history (or, for scores accumulated in incognito mode, when the browser is shut down). Engagement scores also decay with time.
Edge determines a score of 4.1 to represent sufficient engagement with a site to enable mitigation for tracking prevention.
You can view the site engagement scores stored in your Edge instance by typing
edge://site-engagement in the address bar of the browser.
If the browser requests a resource from a site with an engagement score of 4.1 or better, Edge does not restrict storage access or resource loads unless the site is classified in the Fingerprinting or Cryptomining categories.
Organization engagement mitigation means that if one site in an organization receives a site engagement score high enough to not be impacted by tracking prevention (i.e. a score of 4.1 or better), then the user is considered to have a relationship with the organization.
Example: If the user has interacted with
www.company-domain.com enough to accumulate a score of 4.1 or better, then
www.company-cdn.comwould enjoy the benefits of site engagement mitigation as well, because it is recognized as part of the same organization. Thus if a website does a cross-site request to
www.company-cdn.com, Edge would not block storage access even if the domain were in the Trust Protection Lists. Unless, of course,
www.company-cdn.com would fall under the Fingerprinting or Cryptomining categories.
Third-party cookies are blocked from all domains listed in the Trust Protection Lists (considering the mitigations listed above).
Note that domains in Cryptomining and Fingerprinting categories of the Trust Protection Lists have all resource loads blocked, and thus resources that would have been downloaded from these sources cannot make use of first-party cookies.
All other third-party browser storage is blocked from domains listed in the Trust Protection Lists (considering the mitigations listed above).
Note that domains in Cryptomining and Fingerprinting categories of the Trust Protection Lists have all resource loads blocked, and thus resources that would have been downloaded from these sources cannot make use of other first-party storage.
No protections against CNAME cloaking.
Default browser policy (
On macOS Edge, the version number in the User Agent string is frozen to
10_15_7 to fix compatibility issues with upgrading to macOS version 11+ (Big Sur). This has obvious privacy implications as well, as the platform version is no longer useful for fingerprinting purposes.
Sample User Agent string when running Edge 90.0.818.62 on macOS 11.3.1:
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.62"