Skip to content

API Review: Trusted Origin APIs #5438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: user/chetanpandey/TrustedOriginSpecNew
Choose a base branch
from
Open

API Review: Trusted Origin APIs #5438

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b99599
API review first draft
chetanpandey1266 Nov 12, 2025
d9fb9b3
some minor improvements
chetanpandey1266 Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 213 additions & 0 deletions specs/TrustedOrigin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
Trusted Origin Support for WebView2
===

# Background

WebView2 applications often require different security and feature policies for different origins based on trust levels. Some applications need to enable specific features only for trusted origins while applying stricter security measures to untrusted content.

Currently, WebView2 applies uniform security policies across all origins, which creates two key challenges:
- **Feature Access Control**: Applications cannot selectively enable advanced features (such as certain APIs or capabilities) only for origins they trust, forcing them to either expose these features to all origins or disable them entirely.
- **Performance vs Security Trade-offs**: Security features like Enhanced Security Mode, while important for untrusted content, can impact performance when applied to trusted origins where such protections may be unnecessary.

For example, a content management application might want to allow full feature access and disable security restrictions when loading trusted administrative interfaces, while maintaining strict security policies for user-generated or external content loaded in the same WebView2 instance.

The Trusted Origin API addresses these scenarios by allowing applications to designate specific origins as trusted, enabling fine-grained control over which security and feature policies apply to different content sources.

# Description

This specification introduces the following APIs.

1. On `CoreWebView2Profile`

- **GetOriginSettings**: Get the list of `CoreWebView2OriginSetting` for this profile.
- **CreateOriginSetting**: Create and return a new `CoreWebView2OriginSetting` object.
2. `ICoreWebView2OriginSetting`interface, which exposes get and set APIs for the following features. These APIs are used to set the state of these features.

- AccentColor
- EnhancedSecurityMode
- PersistenceStorage
Copy link
Contributor

@aluhrs13 aluhrs13 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar: You probably want "PersistentStorage" or "StoragePersistence"

Copy link
Contributor Author

@chetanpandey1266 chetanpandey1266 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will make the change. Will prefer PersistentStorage.

- TrackingPrevention
Copy link
Contributor

@aluhrs13 aluhrs13 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should explain how this interacts with CoreWebView2EnvironmentOptions.EnableTrackingPrevention and CoreWebView2Profile.PreferredTrackingPreventionLevel.

Same for ESM and the other API we're working on for that.

Copy link
Contributor Author

@chetanpandey1266 chetanpandey1266 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah sure will add it for tracking prevention and ESM
For Accent Color and Persistent Storage I have already mentioned the default state.


The feature state can have three values which are defined by OriginSettingState {
Default,
Allow,
Block}

# Example

## Set Origin Setting for an Origin Pattern

### C++ example

```cpp
void ScenarioTrustedOrigin::SetFeatureForOrigins(std::wstring originPattern)
{
auto stagingProfile3 =
m_webviewProfile.try_query<ICoreWebView2StagingProfile3>();

wil::com_ptr<ICoreWebView2StagingOriginSettingCollection> originSettingCollection;
stagingProfile3->GetOriginSettings(&originSettingCollection);

wil::com_ptr<ICoreWebView2StagingOriginSetting> originSetting;
stagingProfile3->CreateOriginSetting(&originSetting);

CHECK_FAILURE(originSetting->put_OriginPattern(originPattern.c_str()));

// Block Accent Color
CHECK_FAILURE(originSetting->put_AccentColor(OriginSettingState::OriginSettingState_BLOCK));

// Allow Persistence Storage
CHECK_FAILURE(originSetting->put_PersistenceStorage(OriginSettingState::OriginSettingState_ALLOW));

UINT32 count;
CHECK_FAILURE(originSettingCollection->get_Count(&count));
CHECK_FAILURE(originSettingCollection->InsertValueAtIndex(count, originSetting.get()));
}
```

### .NET/WinRT

```c#
var profile = webView2.CoreWebView2.Profile;

var originSetting = profile.CreateOriginSetting();
originSetting.OriginPattern = "https://*.contoso.com";
originSetting.AccentColor = OriginSettingState.Block;
originSetting.PersistenceStorage = OriginSettingState.Allow;

var originSettings = profile.GetOriginSettings();
originSettings.Add(originSetting);
```


# API details

## C++
```cpp
[v1_enum]
typedef enum OriginSettingState {
/// Default state of the feature
OriginSettingState_DEFAULT = 0x0,
/// Allow the feature
OriginSettingState_ALLOW = 0x1,
/// Block the feature
OriginSettingState_BLOCK = 0x2,
} OriginSettingState;

interface ICoreWebView2StagingProfile3 : IUnknown {
/// Gets the list of origin settings associated with this profile.
HRESULT GetOriginSettings(
[out, retval] ICoreWebView2StagingOriginSettingCollection** value);

/// Creates a new `OriginSetting` object.
HRESULT CreateOriginSetting(
[out, retval] ICoreWebView2StagingOriginSetting** value);
}

/// Represents settings for a specific origin.
interface ICoreWebView2StagingOriginSetting : IUnknown {
/// Gets the `AccentColor` property.
[propget] HRESULT AccentColor([out, retval] OriginSettingState* value);


/// Sets the enabled property for Accent Color for the associated origin.
/// The default value for this is `Block`. When set to `Allow`, the origin is
/// allowed to use AccentColor keyword or accent-color CSS property to display OS Accent Color.
[propput] HRESULT AccentColor([in] OriginSettingState value);


/// Gets the `EnhancedSecurityMode` property.
[propget] HRESULT EnhancedSecurityMode([out, retval] OriginSettingState* value);


/// Sets the enabled property for Enhanced Security Mode for the associated origin.
/// When set to `Block`, the origin bypasses Enhanced Security Mode even if
/// Enhanced Security Mode is enabled for the profile. Similarly, when set to `Allow`,
/// the origin enforces Enhanced Security Mode even if Enhanced Security Mode is disabled
/// for the profile.
[propput] HRESULT EnhancedSecurityMode([in] OriginSettingState value);


/// Gets the `OriginPattern` property.
///
/// The caller must free the returned string with `CoTaskMemFree`. See
/// [API Conventions](/microsoft-edge/webview2/concepts/win32-api-conventions#strings).
[propget] HRESULT OriginPattern([out, retval] LPWSTR* value);


/// Sets the origin pattern associated with this origin setting.
/// The origins pattern can be both exact origin strings and wildcard patterns.
/// For wildcard patterns, `*` matches zero or more characters.
/// Examples:
/// | Origin Filter String | What It Matches | Description |
/// |---------|-----------------|-------------|
/// | `https://contoso.com` | Only `https://contoso.com` | Matches the exact origin with specific protocol and hostname |
/// | `https://*.contoso.com` | `https://app.contoso.com`,`https://api.contoso.com`,`https://admin.contoso.com` | Matches any subdomain under the specified domain |
/// | `*://contoso.com` | `https://contoso.com`,`http://contoso.com`,`ftp://contoso.com` | Matches any protocol for the specified hostname |
/// | `*contoso.*` | `https://www.contoso.com`,`http://app.contoso.com` | Matches any protocol and any subdomain under the hostname |
/// | `*example/` | `https://app.example/`,`https://api.example/` | Matches any subdomain and top-level domain variations |
/// | `https://xn--qei.example/` | `https://❤.example/`,`https://xn--qei.example/` | Normalized punycode matches with corresponding Non-ASCII hostnames |
///
/// Note: `*` is not a valid value for OriginPattern.
Copy link
Contributor

@aluhrs13 aluhrs13 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not? This seems like it should be valid.

Copy link
Contributor Author

@chetanpandey1266 chetanpandey1266 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This means we are enabling/disabling for all the origins, which might not be true for all the features we are supporting. For example, persistence storage can't be enabled for all the origins. Because for all origins if we make storage persistent, in case of low disk space there would be no eviction and it might lead to issues.

Copy link
Contributor Author

@chetanpandey1266 chetanpandey1266 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And if there is a need for toggle control, we'll add APIs as required.

Copy link
Contributor

@aluhrs13 aluhrs13 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in case of low disk space there would be no eviction and it might lead to issues.

I'm pretty sure in most cases we allow developers to shoot themselves in the foot.

Copy link
Contributor

@aluhrs13 aluhrs13 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And if there is a need for toggle control, we'll add APIs as required.

Is that the right path though? Maybe more of a question for @shrinaths / @david-risney but if we had this API (with just * allowed) when we were implementing something like CoreWebView2Profile.PreferredTrackingPreventionLevel, would we have implemented it? It seems like it could be cleaner and easier to have this API as the primary way to support enabling/disabling features for all origins in a profile for future additions.

Copy link
Contributor Author

@chetanpandey1266 chetanpandey1266 Nov 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think today also we can make all the storage persistent. Using --unlimited-storage we can do that.
ref: #72
So thinking of removing this.

Copy link
Contributor

@aluhrs13 aluhrs13 Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking of removing what?

Copy link
Contributor Author

@chetanpandey1266 chetanpandey1266 Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant the note, which says * is not a valid value.

///
/// The caller must free the returned string with `CoTaskMemFree`. See
/// [API Conventions](/microsoft-edge/webview2/concepts/win32-api-conventions#strings).
[propput] HRESULT OriginPattern([in] LPCWSTR value);


/// Gets the `PersistenceStorage` property.
[propget] HRESULT PersistenceStorage([out, retval] OriginSettingState* value);


/// Sets the enabled property for Persistence Storage for the associated origin.
/// The default value for this is `Block`. When set to `Allow`, the storage created
/// on this origin persists even when browser evicts storage under low disk space conditions.
[propput] HRESULT PersistenceStorage([in] OriginSettingState value);


/// Gets the `TrackingPrevention` property.
[propget] HRESULT TrackingPrevention([out, retval] OriginSettingState* value);


/// Sets the enabled property for Tracking Prevention for the associated origin.
/// When set to `Block`, the origin bypasses Tracking Prevention even if
/// Tracking Prevention is enabled for the profile. Similarly, when set to `Allow`,
/// the origin enforces Tracking Prevention even if Tracking Prevention is disabled
/// for the profile.
[propput] HRESULT TrackingPrevention([in] OriginSettingState value);
}
```

## .Net/WinRT

```c#
namespace Microsoft.Web.WebView2.Core
{
enum Originsettingstate
{
Default = 0,
Allow = 1,
Block = 2,
};

runtimeclass CoreWebView2OriginSetting
{
Originsettingstate AccentColor { get; set; };

Originsettingstate EnhancedSecurityMode { get; set; };

String OriginPattern { get; set; };

Originsettingstate PersistenceStorage { get; set; };

Originsettingstate TrackingPrevention { get; set; };
}

runtimeclass CoreWebView2Profile
{
IVector<CoreWebView2OriginSetting> GetOriginSettings();

CoreWebView2OriginSetting CreateOriginSetting();
}
}
```