Sampson+ Your Authors @jonathansampson Building the web since the mid-90's. Regional Manager of The Office references. Former Microsoft engineer, Stack Overflow mod no. 4. Building @brave 🇧🇷🇺🇸 Aug. 27, 2019 5 min read + Your Authors

What happens when you install the Edge (Chromium) Beta build and run it for the first time? I was curious.

On first-run, Edge fired off 130+ requests to nearly 50 endpoints. Here they are, sorted by total calls.

Time to take a closer look.

Here are all of the sessions for the 4 minutes or so I let the browser run. I see numerous connections to MSFT properties, but connections to non-MSFT properties too: Google APIs, Google, Double Click, Google Ad Services, Facebook, Twitter Ads, and more.

I should note, right from the start, that Edge knows more about me than any other browser can during the first-run experience. It gets this insight from Windows. As such, I'll pay closer attention to what it shares, and with whom.

The first call we'll explore is the requst to . This request `trustedclienttoken`; a distinct key to represent my device. The server responds with numerous synthetic voice options. I assume this is for #a11y during setup? Can't Windows already handle this?

The second request goes straight to . I suspected we would wind up talking to Google in this process, but didn't think it'd be this early. pkedcj… is Chrome Media Router, required to support Chrome Cast. We get XML (instead of CRX) with another URL to try.

Next we make a trip to . I assume NTP means New Tab Page. Some locale data is sent along, and we get 62K of markup back. I don't immediately see this in Edge, but it may show up in later launches.

Skype comes up in the next call. We appear to be picking up some type of configuration data. That I am a first-run user is sent over, and JSON comes back. The response has per-domain rules for DRM purposes. It also has rules to spoof user-agent strings on specific sites.

The next request is to , which only responds with a location header, telling Edge to look for the data elsewhere. As such, we'll see this request surface momentarily.

At this point, SmartScreen kicks in to review some domains we're about to visit. It gives the all clear, and we proceed! Next up, we make our first connection to the windows domain.

The next entry is to . Very little data is transferred, but for some users, I suspect this would be different. This retrieves information from Windows' Activity History. You can read more about it here: 

The next connection should look familiar, if you have read through my previous browser threads. The  call from earlier told us to go to  to download an extension CRX from Google. Redirector.* sends us to one of Google's cryptic URLs.

I should point out that both  and the URL to which it points (r2---sn.*) are both loaded over HTTP (not HTTPS). I don't know if Edge performs hash comparisons on the resulting CRX, or if this could be leveraged to send a malicious extension to new users.

A bunch of resources are then loaded from . Akamai is responsible for serving the NTP to new Edge (Chromium) users. Due to it being hosted on the Web, you can visit Edge's start page directly: .

Edge then makes another call to . This time, it includes my email address used to log into Windows 10. I can see a reference to Nigori in the data (I assume this is Sync-related data).

Next up is a call, and a redirect, to . This is the page that Edge loads in a 2nd tab. This page was also responsible for loading CSS, Fonts, and other common files, as is to be expected.

The  page issues a request to ; a familiar domain for anybody in the content-blocking space. This request results in a redirect, which itself ends with an HTTP 204 No Content.

The  site calls out to , which redirects to . Google Tag Manager is also loaded. Hello, Twitter. Hello, Google.  is also called, which serves performance and event tracking logic (AFAICT).

At this point, we start to see big moves toward data collection and tracking/ads. Scripts are loaded from Facebook, Reddit, Google, and more. All originate from the default tabs during the first-run. Example: pageLoad event and device info is sent to bing.

This Insider tab also sends data about my device and such to the Double Click servers (Google). There are numerous redirects when Edge calls out to . All of them set cookies. The last one looks like it assigned a universal ID.

To be quite honest, this review is rather exhausting. There are many third-party hosts; many of which technically belong to Microsoft, blurring the lines between what is first-party, and what is third-party.

The following Request/Response is to . I was going to highlight interesting values, but so much here is interesting that I decided to share as-is. Duration information, URLs, a session and user ID, DOM processing time, and more. These insights are granular.

Next, if you can believe it, is the Chrome Media Router we saw at the beginning of this thread. We already downloaded this one, but it appears we will be doing so again. First time had a "X-Goog-Update-Interactivity: fg" header. Now it's a "bg" value.

The last thing that caught my attention were these invalid requests at the very end of the session list. I added time codes to see if there was a fixed interval between the calls. I have no idea what's going on here. Could be a bug in Edge Chromium.

Last observation is that numerous processes are in play. Process 2700 handled the general web contents. Process 18592 interacted exclusively with Smart Screen.

If you enjoyed this 'What Happens' thread, be sure to check out the others on Chrome, Firefox, Brave, Opera, Dissenter, and Vivaldi.

Friends on the Edge team are making changes to their Insider tab (which is loaded on a first-run of Edge Chromium) to reduce 3rd party calls. Bravo!

You can follow @jonathansampson.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader