API Review: Trusted Origin APIs #5462
Conversation
billxc
left a comment
billxc
left a comment
There was a problem hiding this comment.
Are we considering supporting an API that allows updating a single feature at a time? There are scenarios where users don't want to update the entire feature list, but rather just toggle one specific feature on or off.
In the current API design, all other features are kept at their default state. This forces users to set the entire list, which means they must first retrieve the current state of all features to safely make updates. Since our API is asynchronous, this adds further complexity to the user's code.
Ideal sample code:
profile.SetTrustedOriginFeature("https://*.contoso.com", CoreWebView2TrustedOriginFeature.AccentColor, false);
|
The API does not mandate setting all features. However if you do want to set more than one, that is allowed. |
| /// This method allows configuring multiple features for trusted origins, | ||
| /// such as accent color, persistent storage, and enhanced security mode. | ||
| /// The origins can be both exact origin strings and wildcard patterns. | ||
| /// For detailed examples, refer to the table at: https://learn.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.addwebresourcerequestedfilter. |
There was a problem hiding this comment.
Please document what happens for multiple subsequent calls that overlap. I'm not sure that it matters too much what the answer is, but we do need to say how it works.
For instance if you call once:
https://example.com, AccentColor: true
And then after that you call:
https://example.com, PersistentStorage: true
What happens when you navigate to https://example.com? Does only the latest call apply (only PersistentStorage: true) or is it the aggregate of all previous calls (both AccentColor: true, and PersistentStorage: true)?
Or if you call
https://example.com, AccentColor: true, PersistentStorage: true
And then
https://*.com, AccentColor: false
What happens when you navigate to https://example.com? Does it get only the latest rule applied (AccentColor: false), or an aggregate of the rules ordered by when they were called (AccentColor: false, PersistentStorage: true)?
chetanpandey1266
force-pushed
the
user/chetanpandey/TrustedOriginNewApproach-draft
branch
from
c465b5d to
507a3ea
Compare
| [in] ICoreWebView2StagingTrustedOriginFeatureSetting** features | ||
| ); | ||
|
|
||
| /// Gets the feature configurations for a specified origin. |
There was a problem hiding this comment.
Please specify in the documentation comment if you get only the configuration specified explicitly for that origin, or if its all the applicable configurations that apply to that origin due to wildcards as well. For example if you call
https://example.com/, PersistentStorage: true
And then
https://*.com, AccentColor: true
And then do a Get for https://example.com, is it just the PersistentStorage: true, or both of them?
This pull request introduces a new specification for Trusted Origin support in WebView2, enabling applications to apply different security and feature policies based on the trust level of content origins. The changes provide APIs for designating trusted origins and configuring feature access and security settings per origin, addressing previous limitations around uniform policy enforcement.
Trusted Origin API and Feature Management:
CoreWebView2Profilefor creating, setting, and retrieving feature settings for trusted origins, allowing fine-grained control over security and feature policies.ICoreWebView2StagingProfile3,ICoreWebView2StagingTrustedOriginFeatureSetting, andCOREWEBVIEW2_TRUSTED_ORIGIN_FEATURE) to represent origin-specific feature configurations, including AccentColor, PersistentStorage, and EnhancedSecurityMode.Usage Examples and API Details:
Background and Motivation: