
Microsoft Edge: Building a safer browser - cpeterso
http://blogs.windows.com/msedgedev/2015/05/11/microsoft-edge-building-a-safer-browser/
======
jedberg
Having met the engineers who actually built Edge, I can say with some
confidence that I think this will the Microsoft browser people actually like.

They built it from the ground up with security in mind, and with standards
compatibility at the expense of backwards compatibility.

In other words, they have finally decided that it is ok to tell their lagging
enterprise customers to get with the times.

~~~
JustSomeNobody
I thought they started with IE and cut out parts. That's not ground up.

~~~
Osiris
> But Microsoft Edge has done more than just re-write the rendering engine...

> Microsoft Edge hosts a new rendering engine, Microsoft EdgeHTML

> The largest change in Microsoft Edge security is that the new browser is a
> Universal Windows app.

Everything they'd said in their press releases, including this one, says that
the browser is a completely rewrite from scratch, though leveraging lessons
learned on security.

edit: I stand corrected. Is there evidence that the application (Edge) itself
is based on IE or just the rendering engine?

~~~
azakai
Actually, the information said that they _forked_ their existing rendering
engine, and started to remove all the cruft they didn't care about any more.
That led to a lot of new code and faster development - but it isn't entirely
from scratch.

edit: See for example
[http://en.wikipedia.org/wiki/EdgeHTML](http://en.wikipedia.org/wiki/EdgeHTML)
that mentions it beginning as a fork of Trident.

~~~
lazaroclapp
True enough as far as it goes, but isn't that like saying that people running
a current version of Firefox are still using code from the Netscape 4? A fork
of Trident that is not afraid of deprecating unsafe features and breaking
backwards-compatibility for the sake of standards-compatibility isn't
necessarily a worse thing than a from-scratch-new rendering engine.

------
rmtew
> The largest change in Microsoft Edge security is that the new browser is a
> Universal Windows app. .... This provides the user and the platform with the
> confidence provided by other Windows store apps

I see it's going to be a Windows Store app.

I wonder how this will affect the usability for people like myself, who never
see the metro side of windows unless I accidentally move the mouse near the
wrong side of the screen, or accidentally hit the Windows key. Any time I see
a metro app like the horrendous metro version of Windows Update, I moan that
it's there like a false positive, close it and find the normal version that
isn't awkward to use.

~~~
cobalt
Widnows 10 does not have fullscreen apps like windows 8 did

~~~
AdeptusAquinas
Or rather fullscreen view is now optional.

------
lawnchair_larry
_" A broad variety of memory corruption mitigations have been devised since
the mid-1990s, and in the 2000s Microsoft has lead the way with advances
including ASLR, DEP, and SeHOP."_

No, they didn't lead the way. PaX beat them by at least 5 years, yet they
still take credit for this. They didn't even create the Windows version of
ASLR in house.

 _" including industry leading sandboxing"_

They're really going to claim that the Edge sandbox is better than Chrome,
with no basis?

~~~
wyldfire
> They're really going to claim that the Edge sandbox is better than Chrome,
> with no basis?

Edge has yet to be exploited at Pwn2Own and Chrome gets exploited every year.
Clearly that's a better record. ;)

~~~
yeukhon
I will take it being sarcastic...otherwise, Edge has only been made available
for less than two months.

------
kid0m4n
I believe that Microsoft not releasing versions for Linux / Mac OS X is going
to not allow Edge to get maximum adoption.

How am I supposed to test that my website works on Edge properly? The only
option thus far is to setup a VM with Windows 10 on it so that I can run a
browser to test my website.

I dont even bother testing stuff on IE x for that reason.

~~~
mikhailt
The same way as before, Microsoft will release an Edge-dev optimized VM builds
on their site here:
[http://dev.modern.ie/tools/vms/](http://dev.modern.ie/tools/vms/)

They have other tools there to help as well. Microsoft is pretty good about
helping devs here.

It's not like testing sites in Safari is better, Apple isn't even bothering to
update Safari on Windows as it has been dead for nearly more than 2 years.

At least Microsoft is updating more often than Apple. They already have IE11
on Win10 dev VM there.

~~~
integraton
That is enormously disingenuous to try to equivocate IE/Spartan/Edge's single-
OS existence with Safari/WebKit.

WebKit works on every major operating system, including Windows and Linux.
IE/Spartan/Edge does not work outside of Windows.

There are some minor feature differences between WebKit, OS X Safari, and iOS
Safari, but the reality remains that WebKit exists on Windows, can be built on
Windows, and can be used on Windows, while IE/Spartan/Edge works on nothing
but Windows.

Edit: I'd love to hear from the ethically bankrupt downvoters about which fact
in this comment they are trying to hide from.

~~~
bunderbunder
There are WebKit browsers other than Safari. But judging by how often I come
across sites that render differently in Chrome and Safari, I don't know that
we should draw too strong an equivalence between them either.

(And while I can't speak for the downvoters because I'm not one of them, I
suspect that it's not the facts presented in the post that are attracting the
downvotes so much as that it's written in the form of a flame.)

~~~
integraton
Chrome doesn't use WebKit, it uses Blink, a fork of WebKit. I'm only referring
to WebKit, the Apple open source browser project that builds and works on
every major operating system including Windows. If you also want to talk about
Blink, Google's browser project that, unlike IE/Spartan/Edge, also works on
every major operating system, then that's fine, too.

While we are at it, let's talk about Mozilla's browser and rendering engine
that also works on every major operating system.

~~~
eropple
_> Chrome doesn't use WebKit, it uses Blink, a fork of WebKit._

Chrome didn't render the same as Safari when Chrome used WebKit, either.
You're caping up for this, and I can't for the life of me figure out why.

~~~
comex
To be fair, Chrome certainly behaved (behaves) more similar to Safari than to
browsers with completely unrelated engines.

~~~
eropple
Only to a point. Font rendering, in particular, was significantly different
between the two, even Windows/Windows and Mac/Mac. It was enough to make life
difficult.

------
craigds
> Microsoft Edge provides no support for VML, VB Script, Toolbars, BHOs, or
> ActiveX.

Years too late of course, but good to see this finally happening.

~~~
ethana
There are people that swear by VB script. But new extension engine would be
nice.

~~~
JoshTriplett
> There are people that swear by VB script.

And many more who swear _at_ VBScript...

------
ethana
I was hoping they would open source Edge at Build, but that was a bit
optimistic of a time frame. There are still core components yet to be
finished. Hope it will get done soon and have a solid code base to be released
as open source.

~~~
bobajeff
They don't seem to want to open source it. When I asked, they told me that
they had no plans to and now they are hand-selecting companies to contribute
code to their engine.

------
johnwfinigan
"Microsoft Edge is also 64-bit, not just by default, but at all times when
running on a 64-bit processor."

After 32-bit Windows Server went away as of 2008 R2, I didn't expect MS to
keep shipping 32-bit client for this long. Anybody have a convincing argument
as to why? 16-bit legacy apps in large businesses?

Obviously it's not free to do this, especially since they'll be producing
every patch for two PC platforms for probably another decade.

~~~
wtallis
Drivers would be the only justification. If they really cared about 16-bit
apps they would have supported them on 64-bit Windows: it's only real mode and
virtual 8086 mode that are hard to support on a 64-bit OS; 64-bit
compatibility mode can handle 16-bit protected mode software just as easily as
32-bit software. Additionally, virtualization works fine for application-level
code, but not drivers.

------
stokedmartin
Features built or under consideration [0]

[0]
[http://dev.modern.ie/platform/status/](http://dev.modern.ie/platform/status/)

------
comex
> MemGC (Memory Garbage Collector) is a memory garbage collection system that
> seeks to defend the browser from UAF (Use-after-free) vulnerabilities by
> taking responsibility for freeing memory away from the programmer and
> instead automating it, only freeing memory when the automation has detected
> that there are no more references left pointing to a given block of memory.

Interesting; I don't think this has been announced before. It sounds similar
in concept to Chrome's Oilpan (still not shipped AFAIK).

~~~
Animats
What is Edge written in? I would have assumed Microsoft would use C#, which is
garbage collected.

~~~
nbevans
Highly unlikely. It would be written as a native C++ app. Whilst the .NET CLR
is very powerful and highly performant these days, there just wouldn't be
enough justification I don't think to design their web browser on it. Remember
this thing will be targeting mobile devices too. So every little performance
optimisation can save minutes of battery life which all adds up.

That said, I've always wondered what a JavaScript implementation built on top
of the CLR might behave like.

------
kijin
A bit off topic, but I really hope that Microsoft and Samsung have reached
some sort of understanding regarding the name "Edge". A trademark dispute
involving their new browser is the last thing Microsoft needs at this time. It
was confusing enough when they had to change SkyDrive to OneDrive.

~~~
vinceyuan
I don't think it is a problem. The new browser's name is not Edge. It's
'Microsoft Edge'. The samsung phone's name is 'Galaxy Edge'. Now tech
companies like to use the compound name, e.g. Apple Watch, to avoid the
trademark issue.

~~~
kijin
SkyDrive was Microsoft SkyDrive too, but the British court ruled that it
infringed BSkyB's trademark.

------
chasing
Microsoft has one helluva hole to dig themselves out of, here.

~~~
nivla
For us techies, sure, but I wonder how many average joes have written off IE?
For them the 'e' logo is and always have been the door to the internet. Now
since Microsoft is planning on bundling both the new and the old browser in
Win10, I am curious to see how many of these people will still stick with the
old one over the new.

~~~
Turing_Machine
"I wonder how many average joes have written off IE?"

Lots of them. Many surveys show it down in the Safari region, for instance:

[http://gs.statcounter.com/#all-browser-ww-
monthly-201504-201...](http://gs.statcounter.com/#all-browser-ww-
monthly-201504-201504-bar)

~~~
adventured
More likely closer to 25% to 30%

Every other major source than that one reports IE well above 12%

[http://www.zdnet.com/article/the-most-u-s-popular-web-
browse...](http://www.zdnet.com/article/the-most-u-s-popular-web-browsers/)

[https://www.netmarketshare.com/browser-market-
share.aspx?qpr...](https://www.netmarketshare.com/browser-market-
share.aspx?qprid=2&qpcustomd=0)

~~~
Turing_Machine
The first one is limited to .gov websites, and lots of government agencies
still use IE for internal use.

The second one excludes mobile, for no good reason that I can see. Mobile is
huge.

~~~
mynameisvlad
Because the browser landscape is _completely_ different in mobile? There isn't
really any reason not to separate them. They're completely different markets.

~~~
Turing_Machine
No, they aren't different "markets" They're not even different code. Safari on
iOS comes from the same code base as Safari on desktop, and I'm pretty sure
the same is true for Chrome on Android (Chrome on iOS, like other iOS
browsers, is just a wrapper around the Safari engine).

The old Android browser was different code, but that's been on its deathbed
for a while now.

Mobile users use the same sites as desktop users, to a very large degree. They
use the same browser code (again, to a very large degree). The only reason to
separate them that I can see is to artificially inflate the number of IE
users.

------
akandiah
> building a sun porch onto your house without locking the door to the
> sunporch

Love the tongue-in-cheek swipe at Java applets. Perhaps I'm reading too much
into this line.

