[Win32] How to firewall whitelist a WebView2 application?

[forderud]

WebView2 seem to perform network connections through a separate msedgewebview2.exe process. This causes firewall configuration problems for locked-down systems where both inbound and outbound communication is blocked by default, since whitelisting the application EXE isn't sufficient to enable networking. Networking instead need to be enabled by whitelisting msedgewebview2.exe. However, this will also whitelist for any other WebView2 application on the same system, which can be problematic.

The issue concerns untrusted Win32 desktop applications where AppContainers cannot be used due to technical limitations in Windows. I've previously raised ticket 119040926000131 on this limitation, and have been told that this is on the roadmap for a future Windows release after 20H2.

Request Would it be possible to add some kind of option for making WebView2 network communication in-process, so that firewall whitelisting can be done intuitively on a per-app basis?

AB#28335349

[champnic]

Is it acceptable to whitelist msedgewebview2.exe and rely on the sandboxing model of the browser for security? What are your security concerns in this area?

[forderud]

The deployment target in question is an embedded medical device where both inbound and outbound communication is blocked by default to minimize the attack surface. Inbound communication is blocked to reduce risk of external "hacking" whereas outbound is blocked to minimize risk of untrusted applications leaking protected health information over the network (we have to assume that 3rd party applications running on the same system could be malicious).

Some parts of the SW still need network access. This is handled by selectively whitelisting individual applications with a legitimate network need. Whitelisting of msedgewebview2.exe will (according to my understanding) enable networking for all WebView2-based application on the same system. This is problematic, since it would also enable networking for other, potential malicious applications also using WebView2, that could then leak information over HTTP.

[champnic]

Thanks, I've added this context to our backlog item.

[forderud]

@champnic Any progress on this security enhancement request?

[champnic]

Unfortunately it looks like it got prioritized to the middle of our backlog, so I wouldn't expect a change here for a while. I believe we are planning better OS integration sooner, and it's possible this will start working when we do that, but I wouldn't count on it. I'll start an email thread/investigation to see if this might be cheap and we can bump it up though.

[forderud]

Just pinging in. Any update on this security enhancement request?

[champnic]

We haven't found an easy way to do this, sorry. :(

[soumas]

Unfortunately, this is a big problem for us too. We use the WebView2 Control for a browser with very limited internet access. Only this browser is enabled for port 80/443 via the Windows Defender firewall. So far we have used the Winforms WebBrowser Control for this, with which the configuration of the firewall was possible without problems (one exe, one process). Unlocking msedgewebview2.exe globally is not an option for us in terms of security.

@champnic Does your last comment mean that there will definitely not be a "non-sandbox" solution here, or could there be something in the future?

[champnic]

@soumas What do you mean by a "non-sandbox" solution? Are you asking if we'll support running the WebView2 inside the host app process, rather than out-of-proc?

[soumas]

@champnic Yes exactly - that was my question. Excuse the inaccuracy - I had a false thought

[j0hnby]

This is an issue for me too - is there any update?

[champnic]

Right now there doesn't seem to be a way to do this after talking with the firewall team. We are working with them to figure out a path forwards, but unfortunately it might require OS changes (and be subject to OS shipping timelines).

[forderud]

Gentle reminder. Any update on this issue?

[champnic]

I just checked and it sounds like details and spec are still being hashed out with the OS team. Given this will require an OS update, I imagine this won't be available for quite a while unfortunately :(

[srwei]

@forderud Windows Firewall released an update last year that allows WDAC tagging to be used to filter on firewall rules. You can use this to safelist or blocklist a specific WebView2 application (there are rules for parent and child applications). Please make sure to check the links below on how to create and apply the WDAC tags, and that your Windows version supports this update. https://techcommunity.microsoft.com/t5/intune-customer-success/new-settings-in-microsoft-intune-to-enhance-windows-defender/ba-p/3803857 https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/appidtagging/wdac-appid-tagging-guide

[forderud]

Windows Firewall released an update last year that allows WDAC tagging to be used to filter on firewall rules. You can use this to safelist or blocklist a specific WebView2 application (there are rules for parent and child applications). Please make sure to check the links below on how to create and apply the WDAC tags, and that your Windows version supports this update.

@srwei I've now tested WDAC AppId tagging and was able to annotate my application with a POLICYAPPID://<tag-key> security attribute as instructed. However, the attribute does not seem to propagate to the msedgewebview2.exe child processes implicitly created by my app. I'm therefore still unable to create a firewall rule for whitelisting just my WebView2 application, and not other applications also using the same WebView2 run-time.

[srwei]

@forderud You also need to set the parent application path as well as the child webview2 process. Here is an example of what a rule would look like:

$rule += New-CIPolicyRule -DriverFilePath 'C:\PathToWebView2Executable\VersionId\msedgewebview2.exe' -Level FilePublisher -AppID 'C:\Program Files\PathToApplicationExecutable\application.exe' 

This way, it will filter on only the webview2 process(es) that are child to the parent application.

Please let me know if this fixes it for you.

[forderud]

@forderud You also need to set the parent application path as well as the child webview2 process. Here is an example of what a rule would look like:

$rule += New-CIPolicyRule -DriverFilePath 'C:\PathToWebView2Executable\VersionId\msedgewebview2.exe' -Level FilePublisher -AppID 'C:\Program Files\PathToApplicationExecutable\application.exe' 

This way, it will filter on only the webview2 process(es) that are child to the parent application.

I'm unfortunately not able to get the above suggestion to work. WinDBG doesn't show any POLICYAPPID://<tag-name> entries, neither in the parent- or webview2-process when testing in an updated Win11 VM.

I think I'll need a more complete example in order to understand how to use WDAC AppId tagging here, since it's unclear to me how the -AppID argument above interacts with later New-CIPolicy and Set-CIPolicyIdInfo calls. Does it for instance need to match later -AppIdTaggingKey and/or -AppIdTaggingValue arguments?

[anthonynz]

It would be nice to one day see a Microsoft that takes security and privacy seriously.

Who at Microsoft thought it acceptable to create a scenario where MSEdgeWebView2.exe must require blanket outbound network connectivity? Microsoft need to sack these dev's who have no concern for security fundamentals. Network connectivity must be allow by exception. Even Teams no longer functions unless the MSEdgeWebView2.exe process has an exception - which then allows any other program using MSEdgeWebView2 to access the internet.

[srwei]

@forderud Reached out to someone who works directly with WDAC tagging. Can you try this below? *note this is for only tagging webview2 if edge launched it. you will need to replace with your respective apps and paths.

 $rule = new-cipolicyrule -DriverFilePath "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedgewebview2.exe" -Level FilePublisher -AppID "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\msedge.exe"
new-cipolicy -Rules $rule -FilePath ./Tag-Webview.xml -AppIdTaggingPolicy -AppIdTaggingKey "Firewall Tag" -AppIdTaggingValue "AllowProcess"
Set-CIPolicyIdInfo -FilePath .\Tag-Webview.xml -ResetPolicyID
** Manually edit the PolicyType from "Base Policy" to "AppId Tagging Policy"

convertfrom-cipolicy .\Tag-Webview.xml "./{1C8A22DC-3EE7-4C36-83AC-5E59F449CB90}.cip"
citool -up ".\{1C8A22DC-3EE7-4C36-83AC-5E59F449CB90}.cip"
** Reboot** 

Don't forget the reboot.