Disable the Webview2 security policy

[jinpy666]

Is your feature request related to a problem? Please describe.

For some crawlers, multi-account management of web projects is very meaningful ~ hope to support. Thank you so much for your team's work.

Describe the solution you'd like

CORS requests need to be supported.
Read and write cookies and storages of any site.

Describe alternatives you've considered

No response

Additional context

No response

[misitebao]

You can follow this issue.

MicrosoftEdge/WebView2Feedback#2558

[yildirimcagri-msft]

Hi, you can use the --disable-web-security, browser flag (at your own risk since this disables security policies such as cross origin restrictions :) ) to achieve what you are looking for. You can set additional browser arguments to WebView2 via CoreWebView2EnvironmentOptions. We don't intend to provide an API for this at the moment due to security risks involved. Hope this helps!

[jinpy666]

Thank you~ @yildirimcagri @misitebao

[KiddoV]

This would answer my #1375 as well, but I am still not sure how do you put flag --disable-web-security in wails?

[leaanthony]

Yeah, we could look at just adding a passthrough string to the options. I haven't really had a chance to consider the implications though

[Qendolin]

The CORS policy really is a pain since reading local files is a common use-case for desktop apps and 'proxying' them via the asset handler is not always feasible and presents a security risk if not properly implemented. I hope this issue is resolved soon.

[leaanthony]

It's scheduled. If you want to raise a PR sooner, feel free 👍

[fynxiu]

  os.Setenv("WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS", "--disable-web-security")

[stffabi]

  os.Setenv("WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS", "--disable-web-security")

That won't work anymore since PR #1771 has been merged and will also not work with new native go-webview2loader (currently experimental) merged with PR #1974.

[leaanthony]

Yeah we plan on supporting this in a better way @fynxiu

[stffabi]

Yeah supporting this is now pretty straight forward with the new go-webview2loader.

From a personal view I'm still not 100% sure if this should be supported right out of the box. Because that easily opens an app for several security problems if one doesn't take care what will be loaded into the frontend.

[haranobuhardo]

It's scheduled. If you want to raise a PR sooner, feel free 👍

Hi @leaanthony , sorry for replying an old issue, but may I know what's the last status of this enhancement? I see someone opened a PR #2476 couple months ago, but haven't got finalized yet until now.

I really need this feature to use Wails any further, and I'm willing to help to create a PR if it is still "relevant" (since this feature should be included in 2.3 milestone, but somehow ignored).

[leaanthony]

Yeah, I think this is the wrong way to go about it. The correct way would be to use middleware to make the requests for you and ignore the TLS certificates in Go. That way it'll work on all platforms and we don't relax the webview security policy.

[haranobuhardo]

Yeah, I think this is the wrong way to go about it. The correct way would be to use middleware to make the requests for you and ignore the TLS certificates in Go. That way it'll work on all platforms and we don't relax the webview security policy.

So, it's like creating a universal CORS middleware and keep the middleware running as long as the user need the feature to bypass the CORS. Correct?

[leaanthony]

It's not just about CORS but in general I'd choose to deal with remote resources in Go. You can lock it down better.

[imthatgin]

Is there a viable way to bypass X-Frame-Options in Wails today, for purely local apps?