Pages using WebRTC trigger Windows Firewall prompt every time msedgewebview2.exe is updated. #2252
Comments
|
Thanks for the feature request @dmcgloin, and sorry for the suboptimal experience your users are facing. I've added this scenario to our backlog to look into further! |
|
Hey @champnic. Wondering if there is any hope of this getting resolved somehow? This is still a significant issue for our company, and we serve a lot of Windows desktop customers. |
|
@jasonstephen15 Any update on this issue? |
|
@dmcgloin - can you please send a screenshot of the firewall prompt you are getting. Want to understand if this is an issue with the wording of the prompt, or something we should do to technically solve this. |
|
@dmcgloin could you please collect Edge installer logs on a machine that has the issue? Instruction at https://github.com/MicrosoftEdge/WebView2Feedback/blob/main/diagnostics/install.md#installer-logs. Edge installer is supposed to setup firewall rules. |
|
Thanks for following up, @champnic , @jasonstephen15 and @LiangTheDev ! Here's a screenshot of the firewall prompt. I can follow up with the installer logs. But the installer doesn't appear to introduce any firewall rules relevant to the WebView2 runtime. Btw, this can easily be reproduced by navigating in an example app to: "https://www.bankofamerica.com", "https://www.wellsfargo.com" or "https://www.chase.com"
|
|
@dmcgloin, this is exactly the problem: "But the installer doesn't appear to introduce any firewall rules relevant to the WebView2 runtime". The installer logs could provide info on possible error code when installer tries to setup firewall rules. |
|
OK. @LiangTheDev. I've captured the logs in a zip file. Where should I send to? |
|
@dmcgloin please email me at lzhao@microsoft.com. |
|
I sent the logs @LiangTheDev . Let me know if the email with attachment made it through the interweb - or if you need further info. |
|
I've got the logs. I don't see signs of failures. I'll ask around to see how to move investigation further. |
|
@dmcgloin sorry for taking a long time to get back to you. I think that I understand the issue now: per user installation would not be able to add firewall rules. When you run the WebView2 installer without elevation (run as admin), WebView2 Runtime will be installed per user, under %LOCALAPPDATA%\Microsoft\EdgeWebView. Non elevated process does not have permission to add firewall rules, and the user got prompted. When you run WebView2 installer elevated (run as admin), WebView2 Runtime will be installed per machine, under C:\Program Files(x86)\Microsoft\EdgeWebView. The elevated installer has permission to add firewall rules and will add it. We were too focused on why there was no rules for C:\Program Files (x86)...\99.0.1150.36\msedgewebview2.exe as stated in the original post and failed to notice the per user location in the dialog you shared later. For per user installation, it is expected. We have a feature to automatically move per user WebView2 Runtime installation to per machine if there is some other per machine installed Edge products on the machine during next Edge update. If there is no other per machine Edge products on the machine, WebView2 Runtime will stay as per user and no firewall rules added by the installer. |
|
Ohhhhhhhhhh. This is great! Thanks so much for digging into this, @LiangTheDev . I'm now kicking myself for not trying to install WebView2 Runtime as an Admin. Installing as Admin will actually be the normal deployment model. I just didn't think twice when I ran the installer. Once I installed as Admin, I no longer saw the firewall prompt. Question: Since we want Evergreen deployment, will the next incremental version update of the edge executable stay in the Program Files subdirectory, and therefore not require the Windows Firewall prompt? |
|
@dmcgloin , glad that it worked for you. Yes, the next update will stay in Program Files (x86) folder and not require Windows Firewall prompt. |
We have a login page that is using WebRTC for device trust. Every time this page loads AND a new version of msedgewebview2.exe has been installed (Evergreen deployment model), a Windows Firewall permission prompt appears. This is a fairly confusing alert for most users. Looking in the Windows Firewall with Advanced Security settings, we can see a few relevant Inbound rules:
The first rule is for the main desktop Edge browser. This is fine.
The second and third rules are created by the user responding to the prompt (maybe this happens for the main desktop Edge browser but I don't remember).
Now for the rabbit hole ;) (which likely is already known to the team)
This whole mDNS-In firewall thing is a user-privacy feature that protects exposure of customer's internal IP addresses (when behind a NAT). So if the user grants permission to the firewall prompt, they have GREATER privacy. While if they decline permission, they have LESS privacy. At least this is my understanding. More background here: https://www.youtube.com/watch?v=BKorP55Aqvg.
We have tried seeing if we can turn off the WebRTC usage in the login page, but this gets into a security quagmire discussion.
But my proposal here is that the WebView2 team consider automatically installing this mDNS-In firewall entry when a new version of msedgewebview2.exe is installed - with the default state of allowing mDNS so that users can have greater privacy by default. This of course has the side benefit of avoiding the confusing Windows Firewall prompt.
Hopefully this makes sense. Interested to hear thoughts on whether this is a viable solution, or if there are other alternatives not considered.
Related issue (but not really the same IMO): #369
AB#38468976
The text was updated successfully, but these errors were encountered: