-->The tracking prevention feature in Microsoft Edge protects users from online tracking by restricting the ability of trackers to access browser-based storage as well as the network. It is built to uphold the Microsoft Edge browser privacy promise while also ensuring that there is no impact by default to website compatibility or the economic viability of the web.
The new Microsoft Edge adopts the Chromium open source project to create better compatibility for customers and less fragmentation of the web for web developers. With this Insider preview, the new Microsoft Edge is available to HoloLens 2 customers for the first time! Block resource loads - If a known tracking resource is being loaded on a website, Microsoft Edge may block that load before the request reaches the network depending on compatibility impact of the load and the tracking prevention setting a user has set. Blocked loads may include tracking scripts, pixels, iframes, and more.
Microsoft Edge currently offers users three levels of tracking prevention, which are selected by navigating to edge://settings/privacy.
- Basic - The least restrictive level of tracking prevention that is designed for users who enjoy personalized advertisements and who do not mind being tracked on the web. Basic only protects users against malicious trackers such as fingerprinters and cryptominers.
- Balanced (Default) - The default level of tracking prevention that is designed for users who want to see less creepy advertisements that follow them around the web while they browse. Balanced aims to block trackers from sites that users never engage with while minimizing the risk of compatibility issues on the web.
- Strict - The most restrictive level of tracking prevention that is designed for users who are okay trading website compatibility for maximum privacy.
The tracking prevention feature in Microsoft Edge is made up of three main components that work together to determine whether a specific resource from a website should be classified as a tracker and blocked. The components are as follows:
- Classification - The way Microsoft Edge determines whether a URL belongs to a tracker.
- Enforcement - The actions taken to protect Microsoft Edge users from URLs classified as trackers.
- Mitigations - The mechanisms provided to ensure user-specified favorite sites still work, while offering strong default protection.
Each of the components are explored and explained in detail on this page.
Classification
The first component of the tracking prevention feature in Microsoft Edge is classification. To classify online trackers and group them into categories, Microsoft Edge uses the Disconnect open source tracking protection lists. The lists are delivered via the 'Trust Protection Lists' component, which is viewable at edge://components. After being downloaded, the lists are stored on disk where you may use them to determine whether/how a particular URL is classified.
To determine if a URL is considered a tracker by the classification system in Microsoft Edge, a series of host names are checked, starting with an exact match and then proceeding to check for partial matches for up to four labels beyond the top-level domain.
Example:
URL: https://a.subdomain.of.a.known.tracker.test/some/path
Tested host names:
a.subdomain.of.a.known.tracker.testof.a.known.tracker.testa.known.tracker.testknown.tracker.testtracker.test
If any of those host names match with a host name on the Disconnectlists, Microsoft Edge proceeds with evaluating enforcement actions to prevent users from being tracked.
Enforcement
To provide protection from tracking actions on the web, Microsoft Edge takes two enforcement actions against classified trackers:
- Restrict storage access - If a known tracking resource tries to access any web storage where it may try to persist data about the user, Microsoft Edge blocks that access. This includes restricting the ability for that tracker to get or set cookies as well as access storage APIs such as
IndexedDBandlocalStorage. - Block resource loads - If a known tracking resource is being loaded on a website, Microsoft Edge may block that load before the request reaches the network depending on compatibility impact of the load and the tracking prevention setting a user has set. Blocked loads may include tracking scripts, pixels, iframes, and more. This prevents any data potentially being sent to the tracking domain and may even improve load times and page performance as a side effect.
A user may choose the page info flyout icon on the left side of the address bar to find out which trackers were blocked on a specific page: Backstagehome.
How the enforcements are applied depends on what level of tracking prevention the user selected and the mitigations that may apply.
Mitigations
To ensure that web compatibility is preserved as much as possible, Microsoft Edge has three mitigations to help balance enforcements in specific situations. These are the Org Relationship mitigation, the Org Engagement mitigation, and the CompatExceptions List.
Before diving into the mitigations, it is worth defining the concept of an 'Organization' or 'Org' for short. Disconnect also maintains a list called entities.json that defines groups of URLs that are owned by the same parent organization/company. The tracking prevention feature in Microsoft Edge uses this list in both the Org Relationship mitigation and the Org Engagement mitigation to minimize the occurrence of compatibility issues caused by tracking prevention affecting cross-organizational requests.
Org Relationship Mitigation
Several popular websites maintain both websites and Content Delivery Networks (CDNs) to serve static resources and content to those sites. To ensure that these types of scenarios are not affected by tracking prevention, Microsoft Edge exempts a site from tracking prevention when the site is making third-party requests to other sites owned by the same parent organization (as defined in the Disconnect entities.json list). This is best illustrated by an example.
Example:
An organization named Org1 owns the domains org1.test and org1-cdn.test, as defined in the Disconnect entities.json list. Imagine that org1-cdn.test is classified as a tracker and would normally have tracking prevention enforcements applied to it. If a user visits https://org1.test and the site tries to load a resource from https://org1-cdn.test, Microsoft Edge does not take any enforcement actions against requests made to org1-cdn.test even though it is not a first-party URL. If another URL that is not part of the Org1 organization tries to load that same resource, however, then the request would be subject to enforcements because it is not part of the same organization.
Even though this relaxes tracking prevention enforcements for sites that belong to the same organization, it is unlikely that this introduces a high amount of privacy risk since such organizations are able to determine which sites/resources you have accessed on https://org1.test as well https://org1-cdn.test using internal back-end data.
Org Engagement Mitigation
The org engagement mitigation was created to minimize compatibility risks introduced by tracking prevention by ensuring that sites owned by organizations that users sufficiently engage with continue to work as expected across the web. It makes use of site engagement to relax enforcements whenever a user has established an ongoing relationship (currently defined by a site engagement score of 4.1 or greater) with a given site. This again is best illustrated by an example:
Example:
An organization named Social Org owns the domains social.example and social-videos.example.
Users are considered to have a relationship with Social Org if they have established a site engagement score of 4.1 or greater with any one of domains owned by Social Org.
If another site, https://content-embedder.example, includes third-party content (say an embedded video from social-videos.example) from any of the domains owned by Social Org that would normally be restricted by tracking prevention enforcements, the site is exempt from tracking prevention enforcements as long as the user's site engagement score with domains owned by Social Org is maintained above the threshold.
If a site does not belong to an organization, a user must establish a site engagement score of 4.1 or greater with it directly before any storage access/resource load blocks imposed by tracking prevention are relaxed.
The org engagement mitigation is currently only applied in Balanced mode so that Microsoft Edge is offering the highest possible protections for users who have opted into Strict.
The CompatExceptions List
Based on recent user feedback Microsoft received, Microsoft Edge maintains a small list of sites (most of which are in the Disconnect Content category) that were breaking due to tracking prevention despite having the above two mitigations in place. Sites on this list are exempt from tracking prevention enforcements. The list can be found on disk at the locations described below. Users may override entries on it using the Block option in edge://settings/content/cookies.
To avoid maintaining this list moving forwards, Microsoft is currently working on the Storage Access API in the Chromium codebase. The Storage Access API gives site developers a way to request storage access from users directly, providing users with more transparency into how their privacy settings are affecting their browsing experience, and giving site developers controls to quickly and intuitively unblock themselves.
After the Storage Access API is implemented, Microsoft will deprecate the CompatExceptions list and reach out to the affected sites both to make them aware of the issues, and to request that they use the Storage Access API moving forward.
Current tracking prevention behavior
The following table shows the enforcement actions and mitigations that are applied to each category of classified tracker in Microsoft Edge.
- Along the top are the categories of trackers as defined by Disconnect tracking protection list categories.
- Along the left side are the three levels of tracking prevention in Microsoft Edge (Basic, Balanced, and Strict).
- The letter
Sindicates that storage access is blocked. - The letter
Bindicates that both storage access and resource loads (such as network requests) are blocked. - A hyphen (
-) indicates that no block is applied to either storage access or resource loads.
| Advertizing | Analytics | Content | Cryptomining | Fingerprinting | Social | Other | Same Org Mitigation | Org Engagement Mitigation | |
|---|---|---|---|---|---|---|---|---|---|
| Basic | - | - | - | B | B | - | - | Enabled | N/A |
| Balanced | S | - | S | B | B | S | S | Enabled | Enabled |
| Strict | B | B | S | B | B | B | B | Enabled | Disabled |
Note
The org engagement mitigation does not apply to the Cryptomining or Fingerprinting categories.
Tip
Strict mode blocks more resource loads than Balanced. The blocking of more resource loads may result in Strict mode appearing to block less tracking requests than Balanced since the trackers making the requests are never loaded.
Note
The Fingerprinting column in Current tracking prevention behavior refers to trackers that are on the Fingerprinting list in addition to another list. Trackers that appear on solely on the Fingerprinting list are considered non-malicious fingerprinters and are not blocked.
InPrivate behavior
In Microsoft Edge 79, the default behavior was to apply Strict mode protections in InPrivate. In Microsoft Edge 80, this behavior was replaced by a switch in edge://settings/privacy that allows users to decide whether to apply Strict mode protections or to keep their regular settings while browsing InPrivate.
Determining whether/how a particular URL is classified
The easiest way to determine whether a specific URL is classified as a known tracker is to perform the following steps.
- Open DevTools and navigate to the Console tab.
- Refresh the webpage.
- You may want to clear Cookies and other site data first to reset site engagement scores and ensure a completely clean slate.
- Look for any messages that read
Tracking Prevention blocked access to storage for <URL>.- You may expand the messages to see the individual URLs that were blocked.
- If you need to determine which category a specific blocked site is in, the easiest way to do this is to search for it on the Disconnect services.json list. The entries are alphabetized, so scrolling to the top of a block of site entries enables you to find the specific category for a particular site.
Tip
If you need to access the tracking prevention lists that are stored on disk, each may be found in one of two locations.
Component-based updates - The lists that are downloaded from the 'Trust Protection Lists' component
Windows: %LOCALAPPDATA%MicrosoftEdge <OptionalChannelName>User DataTrust Protection Lists
macOS: ~/Library/Application Support/Microsoft Edge <OptionalChannelName>/Trust Protection Lists
Installation directory - The lists that are bundled with the Microsoft Edge Installer. If you selected a different installation directory, your exact paths may be different.
Microsoft Edge Blocking Chrome
Windows: %PROGRAMFILES(x86)%Microsoft Edge <OptionalChannelName>Application<Version>Trust Protection Lists
macOS: /Applications/Microsoft Edge.app/Contents/Frameworks/Microsoft Edge Framework.framework/Libraries/Trust Protection Lists
Frequently Asked Questions
The following section contains answers to frequently asked questions about the tracking prevention feature in Microsoft Edge.
Is there a way to block or allow specific trackers for debugging purposes?
Currently, Microsoft Edge only exposes an option to disable tracking prevention enforcements from running on a specified site. This option is accessed via the page info flyout or through the edge://settings/privacy/trackingPreventionExceptions page.
That being said, the Block and Allow options on the edge://settings/content/cookies page may be used to allow or deny specific domains access to storage such as cookies and other browser storage mechanisms. This is useful for debugging site issues that are caused by tracking prevention enforcements blocking access to storage for a specific site.
Announcements from the Microsoft Edge DevTools team
The following sections are a list of announcements you may have missed from the Microsoft Edge DevTools team. Check out the announcements to try new features in the DevTools, Microsoft Visual Studio Code extensions, and more. To stay up to date on all the latest and greatest features in your developer tools, download the Microsoft Edge preview channels and follow us on Twitter.
Use the DevTools in Windows high contrast mode
The Microsoft Edge DevTools are now displayed in high contrast mode when Windows is in high contrast mode.
Follow the instructions to turn on high contrast mode in Windows. To open the DevTools in Microsoft Edge, select F12 or Ctrl+Shift+I. The DevTools are displayed in high contrast mode.
Note
The Microsoft Edge DevTools currently support high contrast mode on Windows but not on macOS.
Chromium issue #1048378
Match keyboard shortcuts in the DevTools to Visual Studio Code
From your feedback and the Chromium public issue tracker, the Microsoft Edge DevTools team learned that you wanted the ability to customize keyboard shortcuts in the DevTools. In Microsoft Edge 84, you are now able to match keyboard shortcuts in the DevTools to Visual Studio Code, which is just one of the features the team is working on for shortcut customization.
To try the experiment, open DevTools Settings by selecting ? or choosing the icon in the top-right corner of the DevTools. Navigate to the Experiments section and check Enable custom keyboard shortcuts settings tab (requires reload). Now reload the DevTools, open Settings again, and navigate to the Shortcuts section.
Choose DevTools (Default) in the Match shortcuts from preset dropdown and select Visual Studio Code. The keyboard shortcuts in the DevTools now match the shortcuts for equivalent actions in Visual Studio Code.
For example, the keyboard shortcut for pausing or continuing running a script in Visual Studio Code is F5. With the DevTools (Default) preset, that same shortcut in the DevTools is F8 but with the Visual Studio Code preset, that shortcut is now also F5.
The feature is currently available in Microsoft Edge 84 as an experiment, so please share your feedback with the team!
Chromium issue #174309
Remote debug Surface Duo emulators
You are now able to remotely debug your web content running in the Surface Duo emulator using the full power of the Microsoft Edge DevTools.
With the Surface Duo emulator, you are able to test how your web content renders on a new class of foldable and dual-screen devices. The emulator runs the Android operating system and provides the Microsoft Edge Android app. Load your web content in the Microsoft Edge app and debug it with the Microsoft Edge DevTools.
The edge://inspect page in a desktop instance of Microsoft Edge shows the SurfaceDuoEmulator with a list of the open tabs or PWAs that are running on the Surface Duo emulator.
Choose inspect for the tab or PWA that you want to debug to open the Microsoft Edge DevTools. Follow the step-by-step guide to remotely debug your web content on the Surface Duo emulator.
Resize the DevTools drawer more easily
In Microsoft Edge 83 or earlier, you were only able to resize the DevTools Drawer by hovering inside the toolbar of the Drawer. The Drawer behaved differently than the other resize controls for panes in the DevTools where you hover on the border of the pane to resize it. Choose the following image to display how resizing the Drawer worked in version 83 or earlier of Microsoft Edge.
Starting with Microsoft Edge 84, you are now able to resize the Drawer by hovering over the border of the Drawer. This change aligns the behavior resizing the DevTools Drawer with the way you resize other panes in the DevTools. Choose the following image to display resizing in action in Microsoft Edge 84.
Chromium issue #1076112
Screencasting navigation buttons display focus
When remote debugging an Android device, a Windows 10 device, or a Surface Duo emulator, you are able to toggle screencasting with the icon in the top-left corner of the DevTools. With screencasting enabled, you are able to navigate the tab in Microsoft Edge on the remote device from the DevTools window. In Microsoft Edge 84, these navigation buttons are now also keyboard accessible.
Chromium issue #1081486
Network panel Details pane is now accessible
In Microsoft Edge 84, the Details pane in the Network tool now takes focus when you open it for a resource in the Network Log. This change allows screen readers to read out and interact with the content of the Details pane.
Chromium issue #963183
Announcements from the Chromium project
The following sections announce additional features available in Microsoft Edge 84 that were contributed to the open source Chromium project.
Fix site issues with the new Issues tool in the DevTools Drawer
The new Issues tool in the DevTools Drawer was built to help reduce the notification fatigue and clutter of the Console. Currently, the Console is the central place for website developers, libraries, frameworks, and Microsoft Edge to log messages, warnings, and errors. The Issues tool aggregates warnings from the browser in a structured, aggregated, and actionable way, links to affected resources within Microsoft Edge DevTools, and provides guidance on how to fix the issues. Over time, more and more warnings are surfaced in Microsoft Edge in the Issues tool rather than the Console, which should help reduce the clutter in the Console.
To get started, navigate to Find And Fix Problems With The Microsoft Edge DevTools Issues tool.
Chromium issue #1068116
View accessibility information in the Inspect Mode tooltip
The Inspect Mode tooltip now indicates whether the element has an accessiblename and role and is keyboard-focusable.
Chromium issue #1040025
Performance panel updates
View Total Blocking Time information in the footer
After recording your load performance, the Performance panel now shows Total Blocking Time (TBT) information in the footer. TBT is a load performance metric that helps quantify how long a page takes to become usable. It essentially measures how long a page appears to be usable (because the content is rendered to the screen); but is not actually usable, because JavaScript is blocking the main thread and therefore the page does not respond to user input. TBT is the main metric for approximating First Input Delay.
To get Total Blocking Time information, do not use the Refresh Page workflow for recording page load performance.
Instead, select Record , manually reload the page, wait for the page to load, and then stop recording.
If Total Blocking Time: Unavailable is displayed, Microsoft Edge DevTools did not get the required information from the internal profiling data in Microsoft Edge.
Chromium issue #1054381
Layout Shift events in the new Experience section
The new Experience section of the Performance panel helps you detect layout shifts. Cumulative Layout Shift (CLS) is a metric that helps you quantify unwanted visual instability.
Choose the Layout Shift event to display the details of the layout shift in the Summary pane. Hover on the Moved from and Moved to fields to visualize where the layout shift occurred.
More accurate promise terminology in the Console
Free pdf merger. When logging a Promise, the Console incorrectly provided PromiseStatus value set to resolved.
The Console now uses the term fulfilled, which aligns with the Promise specification. For more information about the Promise specification, navigate to States and Fates on GitHub.
V8 issue #6751
Styles pane updates
Support for the revert keyword
The autocomplete UI of the Styles pane now detects the revert CSS keyword, which reverts the cascaded value of a property to the previous value applied to the styling of the element.
Chromium issue #1075437
Image previews
Hover on a background-image value in the Styles pane to display a preview of the image in a tooltip.
Chromium issue #1040019
Color Picker now uses space-separated functional color notation
CSS Color Module Level 4 specifies that color functions, such as rgb(), should support space-separatedarguments. For example, rgb(0, 0, 0) is equivalent to rbg(0 0 0).
When you choose colors with the Color Picker or alternate between color representations in the Styles pane by holding Shift and selecting the background-color value, the space-separated argument syntax is displayed.
You should also display the syntax in the Computed pane and the Inspect Mode tooltip.
Microsoft Edge DevTools is using the new syntax because upcoming CSS features such as color() do not support the deprecated comma-separated argument syntax.
The space-separated argument syntax has been supported in most browsers for a while. For more information, navigate to Can I use: Space-separated functional color notations?
Chromium issue #1072952
Deprecation of the Properties pane in the Elements panel
The Properties pane in the Elements tool is deprecated. Run console.dir($0) in the Console instead.
References
App shortcuts support in the Manifest pane
App shortcuts help users quickly start common or recommended tasks within a web app. The app shortcuts menu is shown only for Progressive Web Apps that are installed on the user's desktop or mobile device.
Microsoft Edge Blocking Chrome Browser
Download the Microsoft Edge preview channels
If you are on Windows or macOS, consider using the Microsoft Edge preview channels as your default development browser. The preview channels give you access to the latest DevTools features.
Getting in touch with Microsoft Edge Devtools team
Use the following options to discuss the new features and changes in the post, or anything else related to DevTools.
- Send your feedback using the Send Feedback icon in DevTools.
- Tweet at @EdgeDevTools.
- Submit a suggestion to The Web We Want.
- To file bugs about this article, use the following Feedback section.
Note
Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons Attribution 4.0 International License.
The original page is found here and is authored by Kayce Basques (Technical Writer, Chrome DevTools & Lighthouse).
This work is licensed under a Creative Commons Attribution 4.0 International License.