-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Problem/Bug]: WebView2 does not honor CoreWebView2ServerCertificateErrorAction when a 30x redirection occurs #4575
Comments
@TWhidden thanks for reporting this issue. We will investigate and share updates on this thread |
@TWhidden What is the behavior in edge browser in this case? |
@TWhidden I am unable to repro the issue from our sample app. If you are still seeing the issue, could you share a simple sample project with the repro for us to look into it. Thanks! |
Hi, sorry for the delayed response. I will work on a repro on this. Give me a little bit to prepare. Thanks! |
Sorry missed this message - Since we are doing this in WebView2 with coding, there is no way to test this in standard Edge. Edge will just show the invalid certificate. |
What happened?
Description:
When using WebView2, the
ServerCertificateErrorDetected
callback effectively allows the use of self-signed certificates in a closed network by settingargs.Action = CoreWebView2ServerCertificateErrorAction.AlwaysAllow
.Problem:
However, this behavior is inconsistent in scenarios involving HTTP 30x redirects. Specifically, when a web server returns a 30x redirect, the previously permitted certificate is not honored, resulting in a certificate error message.
Additionally, this issue can also occur when navigating backwards to a page that triggered a 30x redirect, leading to the same certificate error.
Current Workaround:
Using the
--ignore-certificate-errors
argument in WebView2'sAdditionalBrowserArguments
bypasses these errors but globally accepts all certificates, which is not ideal. We need the ability to selectively decide whether to ignore a certificate error on a case-by-case basis.We want to address the inconsistency in handling certificate errors during 30x redirects and backward navigation. This would allow us to maintain security while still accommodating the use of self-signed certificates in specific scenarios.
Enable Logging Output Differences with and without flag
The below screen shots have the callback for every cert error:
args.Action = CoreWebView2ServerCertificateErrorAction.AlwaysAllow;
set, only difference is the missingAdditionalBrowserArguments
With
--ignore-certificate-errors
Without
--ignore-certificate-errors
Importance
Moderate. My app's user experience is affected, but still usable.
Runtime Channel
Stable release (WebView2 Runtime)
Runtime Version
124.0.2478.97
SDK Version
1.0.2478.35
Framework
WPF
Operating System
Windows 11
OS Version
22621.3668
Repro steps
ServerCertificateErrorDetected
, with handler settingAlwaysAllow
Other option
Repros in Edge Browser
No, issue does not reproduce in the corresponding Edge version
Regression
Don't know
Last working version (if regression)
No response
AB#51156818
The text was updated successfully, but these errors were encountered: