This is what the new Chromium-based Edge looks like

I tried to use Edge yesterday but I don't like the way it handles bookmarks. I prefer Firefox but if I open a folder as a tab group it won't execute a bookmarklet. Edge won't let me save a bookmark on the toolbar and in a folder. Saving to one removes the other. I'm sure they're trying to save me from myself with that but I'd rather they wouldn't try to overcompensate for my deliberate act.

 

Yes, I also believe that only with W.10/11 there is some advantage in terms of security to use MS Edge.
Another advantage could be the lower use of RAM.

 

Yes, I think with Appcontainer the sandbox is very strong, and even stronger in Pro W10/11 versions using Defender's Application Guard.

On Linux, the sandboxing at least on Debian-based ditros isn't exactly chopped liver. The seccomp-bpf sandbox being enabled and providing the strongest protection. Throw in fairly restrictive Apparmor profiles like I've done to contain it, and you've most likely got yourself an impenetrable fortress encasing the browser.

$ sudo aa-status



edge://sandbox

 

In fact, Apparmor allows no unauthorized access to files even in user directories unless a rule exists in the Apparmor profiles:



When running aa-logprof profiling, the denied file access is as shown, and the user could create a rule to allow, deny or ignore it. If this rule were to be allowed, it would have only read permissions, although Write permissions could be added also.



This is how Edge, or any browser or program for that matter, can be made even more secure than it would be installed default out of the box.

 

Is this the sandbox you are all talking about with MS Edge?

https://www.how2shout.com/how-to/ru...-with-windows-defender-application-guard.html

 

Yes, that's the one. But even without WDAG, the Edge renderers on Windows are sandboxed in Appcontainer, I believe, so it's still sandboxed, just not as strong as WDAG.

 

Roger that, thanks.

 

I see what you mean, having just tried now to organize my favorites in a similar fashion. Just terrible

Edit

actually I just figured out a copy/cut & paste method directly from the bookmarks, but it's pretty hokey. Not nearly as good as Firefox.

 

Bookmark Sidebar
https://microsoftedge.microsoft.com...bar/lmjefbghkfeppnpofmbfmhgodpclipbl?hl=en-US

 

Popup my Bookmarks
https://chrome.google.com/webstore/detail/popup-my-bookmarks/mppflflkbbafeopeoeigkbbdjdbeifni

 

A combination of factors contribute to safety.
Take for example the phishing page below blocked by Edge:



Right now it is not blocked by Firefox (so also by Chrome) and not even by the default anti-phishing list of UBO.
Within a short time it will probably be blocked,but......

 

Does Edge actually use AppContainer though?

My msedge.exe is run as "untrusted", not as "AppContainer"

 

Untrusted instead of AppContainer #183

 

Also note that AppContainer is not enabled by default.

 

Doesn't seem to be working for me.

 

Fascinating. I had no idea. Only 1 process is shown as using AppContainer instead of Untrusted in Process Explorer though.

How does one enable it then, exactly? There used to be a Flag for that previously but that seems to be gone now.

 

Yes, it doesn't seem to work in my case either.
Instead, as you can see to Kees1958 it works:

https://malwaretips.com/threads/microsoft-edge-stable-chromium-now-available-for-download.95808/page-65#post-965753

A consultation with Kees would be interesting.
The most visible difference is in my case a N/A value in Autostart Location.

Strange because the documentation is clear:

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#rendererappcontainerenabled

 

Sampei Nihira shared the registry key:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#rendererappcontainerenabled
It's not working for me though.

I can´t find it in Group Policy either. The documentation says the path is Administrative Templates/Microsoft Edge/, that doesn't exist for me. Administrative Templates/Windows Components/Microsoft Edge/ does exist, but the policy is not there. Not in Computer Configuration and not in User Configuration.

 

Looks to be available only if you run:

New Application Guard window ...I believe this is only available in Pro and higher Windows 10/11. I'm running Windows 11 Pro.



Otherwise in normal operation there will only be Untrusted renderers.

Sorry, I went off of information I took from elsewhere when I posted earlier, which I misinterpreted, plus I was on my Linux desktop, so I did not verify Appcontainer operation. I have tested this several times over just minutes ago and I can verify Appcontainer will run only with a New Application Guard session running.

 

I have just asked Kees to verify. Hopefully he'll respond

 

BTW something I just discovered; if I have Process Explorer already opened when I launch Edge normally, I can see an Appcontainer process running for ~30 sec, then it closes for good. I wonder if this is the bug in PE that is referenced in the link @mood posted above, or does Edge actually run an Appcontainer process briefly at startup?

 

Well Appcontainer is working for Kees, and on Home version no less

https://malwaretips.com/threads/microsoft-edge-stable-chromium-now-available-for-download.95808/post-969790

 

You are using W.11 Pro, the PC that was tested has W.11 Home.

The only difference could be that you use a Standard account and Kees' wife (maybe) Administrator.

Another difference could be in the quick start of Edge (if enabled).

It seems strange to me that entering the key manually is ineffective compared to entering the key by running a reg file that contains the same rules.

At this point you have to solve the problem because you are in the same test conditions as Kees (same OS W.11) you even better the Pro version.

 

app container explained
https://docs.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation