KeyPinning/SSLErrorHandler

[inkeliz]

Is your feature request related to a problem? Please describe.

As of today, it seems that it doesn't have any option to verifies the website certificate.

Uses cases:

• Prevent connections from untrusted source:

  • Sometimes you want to trust in a single Certificate Authority or at some certificate in particular, instead of trust in any authorities on the client's machine.

• Allow custom certificate (without need to trust them globally on Windows).

  • Some applications might talk with other local network devices, which usually have self-signed certificates.
  • Some developers, at the development process, could ignore certificate verifications, which might help to test.

Describe the solution you'd like and alternatives you've considered

I don't find anything related to that. The closest option is to trust the certificate at machine/user level, not at the application level. It doesn't fix all the issues, still not possible to key-pinning.

It must be some options to "handle ssl error", which allows the developer to choose what they do and allow them to render the page.

AB#30260332

[champnic]

Thanks for the feature request - I've added it as a scenario on our backlog.

[darkguy2008]

So this means ServerCertificateCustomValidationCallback = (req,cert,chain,errors) => true won't work to make my WinForms app using WebView2 bypass the error when connecting to https://localhost:4200 with a self-signed certificate in an Angular app?

[Iucapad]

That's exactly what I am looking for. I wish I could allow my self-signed certificate from a device that is not connected to the Internet (smart car powered by a Raspberry Pi, used on the local network). Definitely looking for that feature

[gingters]

I also would need this feature.
We are planning on a hybrid app (WebView2 in WinForms) that talks to a web service on the local network which does not have a valid TLS certificate, but a self-signed one. We don't want to have all machines that run the client application to trust the self-signed cert. With CefSharp we can provide the cert to a custom callback, validate it there and allow our own cert, but this doesn't seem to be exposed in WebView2 yet.
Is there any ETA on that idea? I guess, this is a pretty common scenario when working with a webview.

[champnic]

Thanks for the feedback! This work is not scheduled for this quarter, but high on our backlog, so next quarter would be the earliest we are able to deliver this functionality.

[Steinblock]

@gingters

I am too waiting for this feature.

As a workaround I currently disable all certificate errors (found this solution on stackoverflow

This is not as good as pinning my self signed certificate since it allows all certificates and is vulnerable to MITM attacks but since I control which urls can be accessed and the software is used in a controlled local network environment this is ok for me for now.

        private void Init()
        {
            this.webView.CoreWebView2InitializationCompleted += WebView_CoreWebView2InitializationCompleted;
        }

        private async void WebView_CoreWebView2InitializationCompleted(object sender, CoreWebView2InitializationCompletedEventArgs e)
        {
            var result = await webView.CoreWebView2.CallDevToolsProtocolMethodAsync("Security.setIgnoreCertificateErrors", "{\"ignore\": true}");
        }

[trametheka]

Hey @champnic , are there any updates on how this is progressing or an ETA? Thanks!

[monica-ch]

@trametheka We are working on the API design, and you can expect API review spec doc soon for the feedback. Experimental feature should be available by mid-March.

[monica-ch]

Hi all, we've completed our design for the Server Certificate API! Please review the pull request and add any feedback you have about this API. We appreciate your input and support!

[trametheka]

Hi @monica-ch ,

Spec looks like everything I need, look forward to the implementation!

[monica-ch]

Hi all! Server certificate API is in our pre-release package and is ready to be tried out in an experimental state. Try it out and let us know your feedback!

Win32 API: https://docs.microsoft.com/en-us/microsoft-edge/webview2/reference/win32/icorewebview2experimental15?view=webview2-1.0.1222-prerelease

.NET API: https://docs.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2.servercertificateerrordetected?view=webview2-dotnet-1.0.1222-prerelease