Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need an API to clear WebView cache/stored passwords #33

Open
purani opened this issue Jun 21, 2018 · 7 comments
Open

Need an API to clear WebView cache/stored passwords #33

purani opened this issue Jun 21, 2018 · 7 comments

Comments

@purani
Copy link

@purani purani commented Jun 21, 2018

I'm submitting a...

Feature request

Current behavior

WebView class does not provide a method to clear cache.

Expected behavior

Clear method in WebView to clear cache

Minimal reproduction of the problem with instructions

Suppose you need to clear cached aspx pages to fetch them from server, there is no exposed method to achieve it.

Environment

Nuget Package(s): Microsoft.Toolkit.Win32.UI.Controls

Package Version(s): 3.0.0

Windows 10 Build Number:
- [ ] Creators Update (15063)
- [ ] Fall Creators Update (16299)
- [x] April 2018 Update (17134)
- [ ] Insider Build (build number: )

App min and target version:
- [ ] Creators Update (15063)
- [ ] Fall Creators Update (16299)
- [x] April 2018 Update (17134)
- [ ] Insider Build (xxxxx)

Device form factor:
- [ ] Desktop
- [ ] Mobile
- [ ] Xbox
- [ ] Surface Hub
- [ ] IoT

Visual Studio 
- [ ] 2017 (version: )
- [ ] 2017 Preview (version: )

@kbrons

This comment has been minimized.

Copy link
Member

@kbrons kbrons commented Jun 22, 2018

I've been doing some research, but I haven't found a way to clean the cache on the WebView implementation we are using. @nmetulev do you know someone who might have a better understanding of this control?

@JohnnyWestlake

This comment has been minimized.

Copy link

@JohnnyWestlake JohnnyWestlake commented Jun 24, 2018

WebView uses the same WinINET cache the UWP HttpClient uses... Which doesn't let you clear it's cache. (Unless you break outside the sandbox). You can optionally use a custom HttpRequestMessage during navigation with custom cache headers if the server responds to them properly.

@rjmurillo rjmurillo self-assigned this Jun 26, 2018
@dckorben

This comment has been minimized.

Copy link

@dckorben dckorben commented Aug 13, 2018

It might help devs who missed the no-cache headers initially. If you remove the specific cached files located in C:\Users\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\AC
that will effectively reset the webview.
Obviously, of no use in deployed apps and incredibly poor hack but it helped me clear the cache to get the headers on the docs that were influx so testing could continue.

@rjmurillo

This comment has been minimized.

Copy link
Contributor

@rjmurillo rjmurillo commented Oct 24, 2018

@azchohfi azchohfi transferred this issue from windows-toolkit/WindowsCommunityToolkit Jan 15, 2019
@azchohfi azchohfi added this to the 5.1.0 milestone Jan 15, 2019
@michael-hawker michael-hawker removed this from the 5.1.0 milestone Jul 18, 2019
@verelpode

This comment has been minimized.

Copy link

@verelpode verelpode commented Aug 3, 2019

Me too! Although Windows.UI.Xaml.Controls.WebView.ClearTemporaryWebDataAsync exists, this ClearTemporaryWebDataAsync method doesn't exist in Microsoft.Toolkit.Wpf.UI.Controls.WebView nor in Windows.Web.UI.Interop.WebViewControl. However, ClearTemporaryWebDataAsync is a static method therefore could be invoked anyway. Is it acceptable/compatible to invoke ClearTemporaryWebDataAsync in a WPF app that is using Microsoft.Toolkit.Wpf.UI.Controls.WebView?

@purani asked about clearing stored passwords. I haven't checked whether ClearTemporaryWebDataAsync clears passwords. The documentation says only: "Clears the WebView 's cache and IndexedDB data."
Unfortunately it doesn't mention what happens with stored passwords and cookies.

If you use WebViewControlProcess and you terminate your instance and start up a new process/instance, what happens to session state, cookies, passwords?

What's the best way to clear everything in WebView on a shared computer before a different person starts using the computer? To switch to a different person, cookies and passwords need to be deleted, but it's not strictly necessary to delete cached HTML pages, JPEG files, etc. However for extra security, it's good to have the option to also delete all cached files.

The following was a technique for Internet Explorer. Should it be used in conjunction with WebView? Obviously this is only possible outside of the sandbox, such as when WebView is used in a WPF app.

System.Diagnostics.Process.Start("rundll32.exe", "InetCpl.cpl,ClearMyTracksByProcess " + flags);

Here's another ugly hack that was possible with WPF's System.Windows.Controls.WebBrowser. I don't know what happens if you try to use this in conjunction with WebView.

InteropServices.Marshal.WriteInt32(buf, INTERNET_SUPPRESS_COOKIE_PERSIST);
if (!InternetSetOption(IntPtr.Zero, INTERNET_OPTION_SUPPRESS_BEHAVIOR, buf, 4)) _ThrowLastWin32Error();
...and later do:
InternetSetOption(IntPtr.Zero, INTERNET_OPTION_END_BROWSER_SESSION, IntPtr.Zero, 0);
@verelpode

This comment has been minimized.

Copy link

@verelpode verelpode commented Aug 4, 2019

InPrivate mode to support multi-user scenarios:

It would be very useful if WebView (both Microsoft.Toolkit.Wpf.UI.Controls.WebView and Windows.UI.Xaml.Controls.WebView) supported a mode equivalent to the InPrivate mode in the full MS Edge app. This is especially useful to protect/isolate one person's browsing session from the next person's browsing session, so that the next person/user doesn't gain access to the previous person's cookies/sessions/passwords. When a web-enabled computing device is used by multiple different customers or staff members, and one person logs into their web-based email or whatever, this session/cookie data needs to be deleted before the next customer or staff member uses the computing device. This is a major issue for us.

The idea is that you'd create an "InPrivateSession" object and use the same InPrivateSession instance with multiple WebView instances. When you dispose/end the InPrivateSession instance, it should delete all cookies/sessions/passwords that were created during/inside that InPrivateSession instance. Thus an InPrivateSession would be like a container that stores or records all cookies/sessions/passwords created in or during that InPrivateSession and deletes them when the InPrivateSession is disposed/ended. In other words, when a WebView is linked with an InPrivateSession instance, then the lifetime of new cookies should be limited to the lifetime of the InPrivateSession instance.

Regarding deletion of cached webpages, image files, etc, ideally this would be optional. I'd love to have a setting that controls whether cache and cookies is deleted versus only cookies deleted. The problem with deleting all cached files is that it causes a lot of extra network traffic to repeatedly re-download the same files.

@verelpode

This comment has been minimized.

Copy link

@verelpode verelpode commented Aug 5, 2019

I investigated further. An exception is thrown when I try to invoke the static method Windows.UI.Xaml.Controls.WebView.ClearTemporaryWebDataAsync in my test WPF app that uses Microsoft.Toolkit.Wpf.UI.Controls.WebView. Does a workaround exist?

System.Exception
The application called an interface that was marshalled for a different thread. (Exception from HRESULT: 0x8001010E (RPC_E_WRONG_THREAD))

HResult: 0x8001010E
Source: Windows.UI.Xaml
Target Site/Method: Windows.Foundation.IAsyncAction ClearTemporaryWebDataAsync()

Stack Trace:
at Windows.UI.Xaml.Controls.WebView.ClearTemporaryWebDataAsync()
at TestWebView_Wpf.TesterPanel.OnClearCache

My test app is deliberately kept simple -- it does not create any new threads or dispatchers. I presume the RPC_E_WRONG_THREAD error is some side-effect of using XAML Islands.

Package version 6.0.0-preview7. .NET Framework v4.8 running in Windows 10 version 1903 (build 18362.267).

As an ugly workaround/hack until a proper solution is released, is it acceptable to clear WPF WebView's cache (or the whole computer's cache) by using P/Invoke in a WPF app to invoke DeleteUrlCacheEntry and DeleteUrlCacheGroup as described in the following MS webpage?
https://docs.microsoft.com/en-us/windows/win32/wininet/caching

To delete cookies, how about:

  • Invoke WebViewControlProcess.Terminate() to delete cookies that do not have an expiration date, that are stored in the RAM of the process. (Sadly this ability disappears when you finish migrating your app to UWP and switch over to Windows.UI.Xaml.Controls.WebView and stop using WPF WebView.)
  • Hack: To delete cookies that do have an expiration date, delete all files (and folders?) inside Users\JSMITH\AppData\Roaming\Microsoft\Windows\Cookies and Users\JSMITH\AppData\Roaming\Microsoft\Windows\Cookies\Low.
  • Cookies are no longer stored in files. Instead use InternetSetCookieW, DeleteUrlCacheEntry, INTERNET_CACHE_ENTRY_INFO.CacheEntryType, etc.

Re the aforementioned INTERNET_SUPPRESS_COOKIE_PERSIST option with InternetSetOption, I haven't tested it with WPF WebView but I guess it doesn't work anymore because it would need to be set inside the WWAHost process instead of setting it inside your own app's process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.