[Problem/Bug]: WebView2 does not honor CoreWebView2ServerCertificateErrorAction when a 30x redirection occurs

[TWhidden]

What happened?

Description:

When using WebView2, the ServerCertificateErrorDetected callback effectively allows the use of self-signed certificates in a closed network by setting args.Action = CoreWebView2ServerCertificateErrorAction.AlwaysAllow.

Problem:

However, this behavior is inconsistent in scenarios involving HTTP 30x redirects. Specifically, when a web server returns a 30x redirect, the previously permitted certificate is not honored, resulting in a certificate error message.

Additionally, this issue can also occur when navigating backwards to a page that triggered a 30x redirect, leading to the same certificate error.

Current Workaround:

Using the --ignore-certificate-errors argument in WebView2's AdditionalBrowserArguments bypasses these errors but globally accepts all certificates, which is not ideal. We need the ability to selectively decide whether to ignore a certificate error on a case-by-case basis.

We want to address the inconsistency in handling certificate errors during 30x redirects and backward navigation. This would allow us to maintain security while still accommodating the use of self-signed certificates in specific scenarios.

Enable Logging Output Differences with and without flag

The below screen shots have the callback for every cert error: args.Action = CoreWebView2ServerCertificateErrorAction.AlwaysAllow; set, only difference is the missing AdditionalBrowserArguments

With --ignore-certificate-errors

Without --ignore-certificate-errors

Importance

Moderate. My app's user experience is affected, but still usable.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

124.0.2478.97

SDK Version

1.0.2478.35

Framework

WPF

Operating System

Windows 11

OS Version

22621.3668

Repro steps

1. Wire up event ServerCertificateErrorDetected, with handler setting AlwaysAllow
2. Navigate to local web server https with self-signed certificate site
3. click a link to the server that generates a 30x redirect returned to the WebView2
4. observer certificate warning

Other option

1. If the redirect did not trigger cert warning,
2. Navigate back, which tells the browser to go to the previous last source - this may also do it.

Repros in Edge Browser

No, issue does not reproduce in the corresponding Edge version

Regression

Don't know

Last working version (if regression)

No response

AB#51156818

[vickiez]

@TWhidden thanks for reporting this issue. We will investigate and share updates on this thread

[monica-ch]

@TWhidden What is the behavior in edge browser in this case?

[monica-ch]

@TWhidden I am unable to repro the issue from our sample app. If you are still seeing the issue, could you share a simple sample project with the repro for us to look into it. Thanks!

[TWhidden]

Hi, sorry for the delayed response. I will work on a repro on this. Give me a little bit to prepare. Thanks!

[TWhidden]

@TWhidden What is the behavior in edge browser in this case?

Sorry missed this message - Since we are doing this in WebView2 with coding, there is no way to test this in standard Edge. Edge will just show the invalid certificate.