Security - What features will be shut down?

[dinther]

As a new WebView2 user, I am absolutely thrilled with WebView2 and I have been able to access it in Lazarus/Free Pascal without any trouble.

Being an ex win32 developer and currently frustrated web developer I love it that I am getting some sense of control again over the environment I am working in and don't have to suffer "You can't do this inside a browser". Also the trudging in the ever changing environment swap looks like it might be resolved somewhat. At least now know what browser engine my web code will be running on. Hurry up with the Linux version though.

Microsoft might prefer developers to use the "evergreen" version of WebView2 but personally I can't wait to have the "bring your own" option. Standards on the web change way too fast and too much code breaks because of it. My 23 year Delphi code based on win32 api still runs today! Try that with a web app.

Q1:
For example, in a browser, timers and requestAnimationFrame stop when it is minimized. As a result my PWA program stopped doing it's job when minimized and the main reason I am turning my back to PWA. Thankfully in WebView2 this loop keeps going. Will this continue to be the case?

Q2:
As WebView undoubtedly will become popular. Is there a risk that I am building solutions on WebView2 features that might be shut down in the future for security reasons?

[david-risney]

Hi! Thanks for the feedback and your questions!

1. We need the app to tell us when the WebView2 should be considered hidden. Not sure if timers in particular are tied to the IsVisible property, but at least some things are paused or freed when IsVisible is false.

2. For web content we will match the browser. If the browser needs to modify or remove a web API, it will match in WebView2. For WebView2 APIs we don't have any known or planned instances of this. It is possible that a future security issue may require changes to WebView2 and we need to ensure the product is secure but we will do what we can to lessen app compat impact. Did you have something specific in mind that might be a security issue?

[dinther]

Well, I love the ability to communicate with the host win32 app. Whatever the browser is not capable of can be implemented at that level. Using the messaging system to pass commands and data back and forth.

However, I thought that browsers are required to be completely sandboxed.

Currently I have a problem where a page served from https:// needs to connect locally to a ws:// endpoint which is no longer allowed for security reasons. By building a http:// server into my win32 app (Or as I just realised hooking into the ICoreWebView2WebResourceRequest ) WebView2 will quite happily establish the ws:// connection.

If these are security loopholes I rather find out now then have my application break in 6 months.

[edit:]
Oh, I wanted to ask. What is the recommended way to install Edge chromium on a users PC? The installer for my app will need to ensure the user has edge chromium installed.

[champnic]

Hey @dinther, sorry for the delay. Here are resources on distributing the runtime, and we're working on sample code as well:
https://docs.microsoft.com/en-us/microsoft-edge/webview2/concepts/distribution

I'm going to close this issue as it's a bit old now and I believe most of the questions have been answered. If you have another question or bug please open a new issue. Thanks!