74 comments

[ 0.73 ms ] story [ 231 ms ] thread
> Microsoft Edge provides no support for VML, VB Script, Toolbars, BHOs, or ActiveX.

Years too late of course, but good to see this finally happening.

This is definitely a case of "better late than never", IMO.

Microsoft browsers will always have a foothold in enterprise environments, and the prospect of developing against a "real" browser when working with enterprise customers is rather exciting.

Microsoft ships their browser on 250-300 million new PCs and tablets every year, or roughly 200% more computing devices than in 1999. Most of those go to consumers. I'd say Microsoft will continue to have a foothold (of some scale) with consumers by default as well, even if it's just 10%-20% of PC/laptop/surface consumers that will use the Microsoft browser by default, that becomes a big installed base.
There are people that swear by VB script. But new extension engine would be nice.
> There are people that swear by VB script.

And many more who swear at VBScript...

VBScript needs to die. Microsoft has been trying to kill anything VB-related for years. It's a zombie.

The guys who swear by it are not programmers. Sorry.

But you know, new Microsoft proprietary "Microsoft Passport" authentication stuff >|
Google has its own proprietary sign in features across its offering. I think it's becoming more or less standard fare.
If you're talking about password syncing, Chrome uses the system's password store. Hopefully the Microsoft Passport the article refers to is just a password manager.

edit: unfortunately, no, it just appears to be another sign-in with company X: http://blogs.windows.com/bloggingwindows/2015/03/17/making-w...

No. I'm talking about the Google user sign in features for Chrome and Android. Microsoft is adding a twist to its version, but in my mind they're pretty much the same.
The automatic sign in to Google if you're signed in to Google on Chrome?

This sounds more like an extension of the browser that either you use Edge or you can't sign in

Having met the engineers who actually built Edge, I can say with some confidence that I think this will the Microsoft browser people actually like.

They built it from the ground up with security in mind, and with standards compatibility at the expense of backwards compatibility.

In other words, they have finally decided that it is ok to tell their lagging enterprise customers to get with the times.

Yeah, I've met some of them too. Edge is still slow and missing a thousand niceties that everyone takes for granted in Firefox and Chrome.
> In other words, they have finally decided that it is ok to tell their lagging enterprise customers to get with the times.

Well, they're still maintaining IE as a separate browser for those corporate users who rely on it, but it is a first step toward that.

I thought they started with IE and cut out parts. That's not ground up.
> But Microsoft Edge has done more than just re-write the rendering engine...

> Microsoft Edge hosts a new rendering engine, Microsoft EdgeHTML

> The largest change in Microsoft Edge security is that the new browser is a Universal Windows app.

Everything they'd said in their press releases, including this one, says that the browser is a completely rewrite from scratch, though leveraging lessons learned on security.

edit: I stand corrected. Is there evidence that the application (Edge) itself is based on IE or just the rendering engine?

Actually, the information said that they forked their existing rendering engine, and started to remove all the cruft they didn't care about any more. That led to a lot of new code and faster development - but it isn't entirely from scratch.

edit: See for example http://en.wikipedia.org/wiki/EdgeHTML that mentions it beginning as a fork of Trident.

Thanks for the correction.
True enough as far as it goes, but isn't that like saying that people running a current version of Firefox are still using code from the Netscape 4? A fork of Trident that is not afraid of deprecating unsafe features and breaking backwards-compatibility for the sake of standards-compatibility isn't necessarily a worse thing than a from-scratch-new rendering engine.
Microsoft has one helluva hole to dig themselves out of, here.
For us techies, sure, but I wonder how many average joes have written off IE? For them the 'e' logo is and always have been the door to the internet. Now since Microsoft is planning on bundling both the new and the old browser in Win10, I am curious to see how many of these people will still stick with the old one over the new.
"I wonder how many average joes have written off IE?"

Lots of them. Many surveys show it down in the Safari region, for instance:

http://gs.statcounter.com/#all-browser-ww-monthly-201504-201...

More likely closer to 25% to 30%

Every other major source than that one reports IE well above 12%

http://www.zdnet.com/article/the-most-u-s-popular-web-browse...

https://www.netmarketshare.com/browser-market-share.aspx?qpr...

The first one is limited to .gov websites, and lots of government agencies still use IE for internal use.

The second one excludes mobile, for no good reason that I can see. Mobile is huge.

Because the browser landscape is completely different in mobile? There isn't really any reason not to separate them. They're completely different markets.
No, they aren't different "markets" They're not even different code. Safari on iOS comes from the same code base as Safari on desktop, and I'm pretty sure the same is true for Chrome on Android (Chrome on iOS, like other iOS browsers, is just a wrapper around the Safari engine).

The old Android browser was different code, but that's been on its deathbed for a while now.

Mobile users use the same sites as desktop users, to a very large degree. They use the same browser code (again, to a very large degree). The only reason to separate them that I can see is to artificially inflate the number of IE users.

No, NetMarketShare/NetApplications is the exception: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers

Of course, they're also the only source that tries to count "unique visitors" rather than traffic, and uses country-level weighting to attempt to correct for sampling bias.

But personally, I still find StatCounter more useful.

It looks like they have one arm already over the top edge of the hole though...
I believe that Microsoft not releasing versions for Linux / Mac OS X is going to not allow Edge to get maximum adoption.

How am I supposed to test that my website works on Edge properly? The only option thus far is to setup a VM with Windows 10 on it so that I can run a browser to test my website.

I dont even bother testing stuff on IE x for that reason.

www.modern.ie

And even if they did release linux or osx versions you would still want to test in windows, for the differences in font engines etc. Just like testing safari really requires osx.

and there's no analogues of modern.ie in Apple world :)

One can even try to test it remotely, without downloading and installing VM, but in some cases, such as animations testing, VM is more comfortable.

THey actually discussed this at the recent spartan summit. A lot of the team would like to make a version for non windows, they just want to make a great one for windows first.

beyond that, there are a ton of ways to easily test IE.

http://dev.modern.ie/tools/

browserstack, saucelabs, free virtual machines for local testing, the azure remote tester amongst others.

The same way as before, Microsoft will release an Edge-dev optimized VM builds on their site here: http://dev.modern.ie/tools/vms/

They have other tools there to help as well. Microsoft is pretty good about helping devs here.

It's not like testing sites in Safari is better, Apple isn't even bothering to update Safari on Windows as it has been dead for nearly more than 2 years.

At least Microsoft is updating more often than Apple. They already have IE11 on Win10 dev VM there.

That is enormously disingenuous to try to equivocate IE/Spartan/Edge's single-OS existence with Safari/WebKit.

WebKit works on every major operating system, including Windows and Linux. IE/Spartan/Edge does not work outside of Windows.

There are some minor feature differences between WebKit, OS X Safari, and iOS Safari, but the reality remains that WebKit exists on Windows, can be built on Windows, and can be used on Windows, while IE/Spartan/Edge works on nothing but Windows.

Edit: I'd love to hear from the ethically bankrupt downvoters about which fact in this comment they are trying to hide from.

There are WebKit browsers other than Safari. But judging by how often I come across sites that render differently in Chrome and Safari, I don't know that we should draw too strong an equivalence between them either.

(And while I can't speak for the downvoters because I'm not one of them, I suspect that it's not the facts presented in the post that are attracting the downvotes so much as that it's written in the form of a flame.)

Chrome doesn't use WebKit, it uses Blink, a fork of WebKit. I'm only referring to WebKit, the Apple open source browser project that builds and works on every major operating system including Windows. If you also want to talk about Blink, Google's browser project that, unlike IE/Spartan/Edge, also works on every major operating system, then that's fine, too.

While we are at it, let's talk about Mozilla's browser and rendering engine that also works on every major operating system.

> Chrome doesn't use WebKit, it uses Blink, a fork of WebKit.

Chrome didn't render the same as Safari when Chrome used WebKit, either. You're caping up for this, and I can't for the life of me figure out why.

To be fair, Chrome certainly behaved (behaves) more similar to Safari than to browsers with completely unrelated engines.
Only to a point. Font rendering, in particular, was significantly different between the two, even Windows/Windows and Mac/Mac. It was enough to make life difficult.
The reality remains that I can test Edge as Edge, perfectly, with all of it's unique quirks no matter what operating system I use.

You can't say the same for Apple's Safari browser.

> I believe that Microsoft not releasing versions for Linux / Mac OS X is going to not allow Edge to get maximum adoption.

How much will the user base grow by allowing a small fraction of desktop users the option of using this browser?

I bet you're one of these only testing on chrome nowadays...
I'm not surprised. It's clear they are using newer Windows APIs to offload 2D and 3D rendering among other things. I doubt they'd be able to release a version that didn't run on Windows for those reasons, just like Safari will never run on anything but OS X because it leverages OS X APIs.
Safari did run on Windows for years.

But it did seem like they ported a lot of OS X libraries to Windows just to get it working. If I remember correctly, it had OS X font rendering for example.

iTunes for Windows also takes the same approach of porting the OS X libraries rather than porting the application. It's always kinda weird stumbling across Windows-specific code in the source to things like CoreFoundation.
> MemGC (Memory Garbage Collector) is a memory garbage collection system that seeks to defend the browser from UAF (Use-after-free) vulnerabilities by taking responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation has detected that there are no more references left pointing to a given block of memory.

Interesting; I don't think this has been announced before. It sounds similar in concept to Chrome's Oilpan (still not shipped AFAIK).

What is Edge written in? I would have assumed Microsoft would use C#, which is garbage collected.
Highly unlikely. It would be written as a native C++ app. Whilst the .NET CLR is very powerful and highly performant these days, there just wouldn't be enough justification I don't think to design their web browser on it. Remember this thing will be targeting mobile devices too. So every little performance optimisation can save minutes of battery life which all adds up.

That said, I've always wondered what a JavaScript implementation built on top of the CLR might behave like.

Not enough justification?

How about 0 security? All their measures are totally useless, there is no safety here just same old bullshit that can be trivially bypassed.

The fact that the article is mentioning MemGC as a defense against use-after-free attacks (something I don't believe managed languages need be concerned) and the way Control-Flow-Guard is described leads me to think it's primarily C++. Probably a mix of native/managed, but I suspect that any managed code is kept to a minimum given the emphasis on native protection and countermeasures. If this is the case then I'd be interested in their rationale in deciding not to go 100% managed.
As a fork of Trident, it's written in C++.
> The largest change in Microsoft Edge security is that the new browser is a Universal Windows app. .... This provides the user and the platform with the confidence provided by other Windows store apps

I see it's going to be a Windows Store app.

I wonder how this will affect the usability for people like myself, who never see the metro side of windows unless I accidentally move the mouse near the wrong side of the screen, or accidentally hit the Windows key. Any time I see a metro app like the horrendous metro version of Windows Update, I moan that it's there like a false positive, close it and find the normal version that isn't awkward to use.

Widnows 10 does not have fullscreen apps like windows 8 did
This is categorically incorrect.
That said, a lot of modern apps are really annoying to use even when windowed.
I was hoping they would open source Edge at Build, but that was a bit optimistic of a time frame. There are still core components yet to be finished. Hope it will get done soon and have a solid code base to be released as open source.
They don't seem to want to open source it. When I asked, they told me that they had no plans to and now they are hand-selecting companies to contribute code to their engine.
A bit off topic, but I really hope that Microsoft and Samsung have reached some sort of understanding regarding the name "Edge". A trademark dispute involving their new browser is the last thing Microsoft needs at this time. It was confusing enough when they had to change SkyDrive to OneDrive.
I don't think it is a problem. The new browser's name is not Edge. It's 'Microsoft Edge'. The samsung phone's name is 'Galaxy Edge'. Now tech companies like to use the compound name, e.g. Apple Watch, to avoid the trademark issue.
SkyDrive was Microsoft SkyDrive too, but the British court ruled that it infringed BSkyB's trademark.
Well, the "Edge" actually reminds me of Lenovo Edge series, because on the laptop it marks "Edge".
> building a sun porch onto your house without locking the door to the sunporch

Love the tongue-in-cheek swipe at Java applets. Perhaps I'm reading too much into this line.

I don't see anything safer here, same old garbage + snake oil.

Sandboxes are totally useless when the kernel is riddled with exploitable bugs.

ASLR 64bit bla bla is totally useless when you have a million information leak bugs.

Somebody wake me up when they implement an entire browser 100% in a memory safe language and there's no way to hit kernel surface from there.

"Microsoft Edge is also 64-bit, not just by default, but at all times when running on a 64-bit processor."

After 32-bit Windows Server went away as of 2008 R2, I didn't expect MS to keep shipping 32-bit client for this long. Anybody have a convincing argument as to why? 16-bit legacy apps in large businesses?

Obviously it's not free to do this, especially since they'll be producing every patch for two PC platforms for probably another decade.

Drivers would be the only justification. If they really cared about 16-bit apps they would have supported them on 64-bit Windows: it's only real mode and virtual 8086 mode that are hard to support on a 64-bit OS; 64-bit compatibility mode can handle 16-bit protected mode software just as easily as 32-bit software. Additionally, virtualization works fine for application-level code, but not drivers.
My guess: compatibility with existing ActiveX and BHO plugins.
"A broad variety of memory corruption mitigations have been devised since the mid-1990s, and in the 2000s Microsoft has lead the way with advances including ASLR, DEP, and SeHOP."

No, they didn't lead the way. PaX beat them by at least 5 years, yet they still take credit for this. They didn't even create the Windows version of ASLR in house.

"including industry leading sandboxing"

They're really going to claim that the Edge sandbox is better than Chrome, with no basis?

> They're really going to claim that the Edge sandbox is better than Chrome, with no basis?

Edge has yet to be exploited at Pwn2Own and Chrome gets exploited every year. Clearly that's a better record. ;)

I will take it being sarcastic...otherwise, Edge has only been made available for less than two months.
This is just marketing puffery. The defense would be "Microsoft was the first to implement ASLR and DEP on Windows, and Edge's sandboxing is the best sandboxing technology available from any Microsoft browser product." Just like AT&T stating they have the "strongest" signal (which is a meaningless metric by itself), or car makers calling their car gets "40% better mileage!" and the * tells you "compared for a 1978 AMC Pacer."
Has the Win 8 app store sandbox been broken? There's a "Win8 RT Jailbreak" on XDA, but the author says there's no risk of regular apps compromising your system using the same exploit.