[Problem]: Unable to disable CORS and enable Mixed Content for Private Network Access #4166
Description
| Importance | Blocking. My app's basic functions are not working due to this issue. |
| Runtime Channel | Stable release (WebView2 Runtime), Prerelease (Edge Canary/Dev/Beta) |
| Runtime Version | 119.0.2151.58 and 120.0.2210.4 |
| SDK Version | 1.0.1823.32 |
| Framework | WinUI3/WinAppSDK, UWP |
| Operating System | Windows 10, Windows 11, Xbox |
| OS Version | 22621.2506 |
Background
We are trying to port and established application to WebView2. Its core is implemented in HTML/JS, surrounded by platform-specific implementations in native code. The html/js code is installed with the application and it never runs any code or displays any html views from external sources.
In the context of this application, we need to load data from "insecure origins" on the private network via http while the application needs to run in a "secure context".
Why a Secure Context for the Running Code?
Most new APIs are available in a secure context only, and we need to access quite a few of them.
Why only HTTP Connections?
The application interacts with devices (mini-servers) on the local network via REST API and loads images or videos from those devices (which are developed by us as well). These are often fully private and not accessible from outside, which means that they don't have any SSL certs and can only be accessed via http (not https). Since this is targeting end users rather than enterprises, it has to work in a plug'n'play manner and it cannot be expected from users to set up a local PKI/DNS infrastructure.
How do other Platforms Compare?
Android WebView
The app code is running from file: URLs and this context can be declared to be treated secure with a WebView option.
Electron (Windows, Linux, Mac)
The app code is running from file: URLs and Electron provides a way to lift restrictions for this context.
iOS - WebKit WebView
I don't know how we do it there, but there's a way.
UWP/WinJS
There are no mixed content restrictions IIRC
Hosted App (for browser access and PWAs)
This a pretty unfortunate topic. At the moment, we are forced to serve it over http to allow users to access their devices, and we are participating in the Chrome Origin Trial to lift restrictions due to https://wicg.github.io/private-network-access/.
We will implement the "Permission Prompt" mechanism as soon as available (https://github.com/WICG/private-network-access/blob/main/permission_prompt/explainer.md).
Please note that this is acceptable for in-browser access, but it is not a viable option for an installed application using a WebView control.
Problem
Executing a fetch request against a REST API fails and gets blocked with the following error message:
Note
Besides fetch requests, loading images in <img> tags needs to be working as well
What we have tried so far
Serving application files
Using file:// URLs
As there appears to be no way (like the other WebView implementations are providing) to treat this as secure, I have skipped trying this.
Using SetVirtualHostNameToFolderMapping
One way I've tried is using urls like https://appassets/ with this:
CoreWebView2.SetVirtualHostNameToFolderMapping("appassets", "web", CoreWebView2HostResourceAccessKind.Allow);Using the WebResourceRequested event
The primary way we're using is via the WebResourceRequested event with the same kind of urls: https://appassets/
For the WebResourceResponse I've tried returning https headers like this:
{ "Access-Control-Allow-Headers", "Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Token, X-Emby-Client, X-Emby-Client-Version, X-Emby-Device-Id, X-Emby-Device-Name, X-Emby-Authorization" },
{ "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS" },
{ "Access-Control-Allow-Origin", "*" },
{ "Access-Control-Allow-Private-Network", "true" },
{ "Cross-Origin-Resource-Policy", "cross-origin" },
{ "Content-Type", "{0}" },Command Line Flags
Via Environment Variable
I tried an abundance of different flags in different combinations, all set via WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS environment variable.
Also, I verified that those flags are really being set on the msedgewebview2.exe processes.
--disable-web-security
--allow-insecure-localhost
--unsafely-treat-insecure-origin-as-secure=http:*
--disable-site-isolation-trials
--disable-block-insecure-private-network-requests
--enable-insecure-private-network-requests-allowed
--disable-private-network-access-respect-preflight-results
--disable-features=AutoupgradeMixedContent,PrivateNetworkAccessSendPreflights,PrivateNetworkAccessRespectPreflightResults,BlockInsecurePrivateNetworkRequests
--enable-features=PrivateNetworkAccessNonSecureContextsAllowed,InsecurePrivateNetworkRequestsAllowed
--enable-blink-features=PrivateNetworkAccessNonSecureContextsAllowed,InsecurePrivateNetworkRequestsAllowed
Note: What does work is --unsafely-treat-insecure-origin-as-secure=http://1.2.3.4 but the IP addresses are not known up-front and the setting doesn't support wildcard for IP addresses (as per docs and per trying).
Via CoreWebView2Environment
Somewhere it was stated that disable-web-security wouldn't work via environment variable. As I also have a custom WebView2 control (re-implemented in C# from the WinUI2 C++ code) which allows using CoreWebView2Environment to create a CoreWebView2, I have also tried setting flags via CoreWebView2EnvironmentOptions.AdditionalBrowserArguments
Policies
I tried setting the following policies
AutomaticHttpsDefault 0
InsecurePrivateNetworkRequestsAllowed 1
Distribution Modes
I tried with the evergreen runtime 119.0.2151.58 and the canary version 120.0.2210.4
I tried with fixed version distribution: 119.0.2151.58