SOLVED

Edge Beta v86 broke policies for WebView2

%3CLINGO-SUB%20id%3D%22lingo-sub-1665475%22%20slang%3D%22en-US%22%3EEdge%20Beta%20v86%20broke%20policies%20for%20WebView2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1665475%22%20slang%3D%22en-US%22%3E%3CP%3EI%20see%20that%20after%20the%20update%20of%20Edge%20Beta%20to%20v86%2C%20the%20policies%20set%20in%20registry%20no%20longer%20work%20for%20Webview2-based%20browsers.%20E.g.%20I%20can%20freely%20download%20files%20on%20the%20browser%20despite%20DownloadRestrictions%20set%20to%203%20(block%20all).%26nbsp%3B%3C%2FP%3E%3CP%3EYet%2C%20there%20is%20no%20such%20problem%20with%20v85%20(Stable%20channel)%2C%20or%20when%20using%20standalone%20Edge%20Beta%20v86%2C%20policies%20are%20respected.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20a%20bug%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1666436%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Beta%20v86%20broke%20policies%20for%20WebView2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1666436%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793221%22%20target%3D%22_blank%22%3E%40alexbond%3C%2FA%3E%26nbsp%3B%2C%20this%20is%20a%20change%20introduced%20in%20recent%20release%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-edge%2Fwebview2%2Freleasenotes%2309622%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERelease%20Notes%20for%20Microsoft%20Edge%20WebView2%20for%20Win32%2C%20WPF%2C%20and%20WinForms%20-%20Microsoft%20Edge%20Development%20%7C%20Microsoft%20Docs%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWebView%20does%20not%20respect%20Edge%20browser%20policies.%20Edge%20and%20apps%20are%20separate%20management%20scenarios%20and%20we%20don't%20want%20browser%20policies%20to%20affect%20apps%20(e.g.%20admin%20blocks%20JavaScript%20in%20Edge%20then%20realizes%20in%20horror%20that%20a%20bunch%20of%20apps%20are%20broken).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1666457%22%20slang%3D%22en-US%22%3ERe%3A%20Edge%20Beta%20v86%20broke%20policies%20for%20WebView2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1666457%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793221%22%20target%3D%22_blank%22%3E%40alexbond%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELike%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F616276%22%20target%3D%22_blank%22%3E%40LingAmy%3C%2FA%3E%26nbsp%3Bmentioned%2C%20this%20is%20by%20design.%20We%20believe%20that%20apps%20and%20browsers%20are%20separate%20scenarios%2C%20and%20admin%20usually%20doesn't%20know%20what%20is%20WebView2%20or%20what%20apps%20use%20WebView2%20(it's%20an%20implementation%20details%20to%20app).%20As%20Ling%20said%2C%20we%20want%20to%20prevent%20cases%20such%20as%20admin%20turning%20off%20JavaScript%20in%20Edge%20and%20then%20realizing%20in%20horror%20that%20a%20seemingly%20random%20set%20of%20apps%20on%20the%20device%20are%20broken%20because%20they%20use%20WebView2%20and%20JavaScript%20underneath.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESpecifically%20to%20your%20comment%20about%20%22%3CSPAN%3EWebview2-based%20browsers%3C%2FSPAN%3E%22%2C%20these%20apps%20that%20are%20built%20on%20top%20of%20the%20browser.%20We%20recommend%20developers%20owning%20these%20apps%20to%20expose%20their%20own%20policies%20to%20control%20WebView2%20download%20behavior%2C%20or%20admins%20can%20block%20those%20apps%20from%20installing%20if%20they%20are%20malicious.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I see that after the update of Edge Beta to v86, the policies set in registry no longer work for Webview2-based browsers. E.g. I can freely download files on the browser despite DownloadRestrictions set to 3 (block all). 

Yet, there is no such problem with v85 (Stable channel), or when using standalone Edge Beta v86, policies are respected.

 

Is this a bug?

5 Replies
Highlighted

@alexbond , this is a change introduced in recent release, see Release Notes for Microsoft Edge WebView2 for Win32, WPF, and WinForms - Microsoft Edge Development ...

WebView does not respect Edge browser policies. Edge and apps are separate management scenarios and we don't want browser policies to affect apps (e.g. admin blocks JavaScript in Edge then realizes in horror that a bunch of apps are broken).

Highlighted
Best Response confirmed by alexbond (New Contributor)
Solution

@alexbond 

 

Like @LingAmy mentioned, this is by design. We believe that apps and browsers are separate scenarios, and admin usually doesn't know what is WebView2 or what apps use WebView2 (it's an implementation details to app). As Ling said, we want to prevent cases such as admin turning off JavaScript in Edge and then realizing in horror that a seemingly random set of apps on the device are broken because they use WebView2 and JavaScript underneath. 

 

Specifically to your comment about "Webview2-based browsers", these apps that are built on top of the browser. We recommend developers owning these apps to expose their own policies to control WebView2 download behavior, or admins can block those apps from installing if they are malicious.

Highlighted

Thank you @liminzhu and @LingAmy 

 

with that, can you point to the WebView2 API that allows to block downloads on the WebView2-based browser, so I can implement my own policy on that?

Highlighted

@alexbond download is one of the scenarios we're looking at actually. I'd encourage following https://github.com/MicrosoftEdge/WebViewFeedback/issues/419

 

There isn't a WebView2 API per se today that blocks download, but before we expose one, there is a workaround. You can use CallDevToolsProtocolMethod (https://docs.microsoft.com/en-us/microsoft-edge/webview2/reference/win32/0-9-622/icorewebview2#calld...) to call Chrome DevTool Protocol APIs (https://chromedevtools.github.io/devtools-protocol/) from WebView2, and Browser.setDownloadBehavior (https://chromedevtools.github.io/devtools-protocol/tot/Browser/#method-setDownloadBehavior) lets you block download.

Highlighted

Thank you @liminzhu ,

 

that's very helpful. Can you also help me understand of the ways I can be informed about upcoming/planned disrupting changes like this with Webview2? This is impacting our company business and I'd want to avoid it when possible. Is there anything besides https://docs.microsoft.com/en-us/microsoft-edge/webview2/releasenotes I can look at?

 

Also, note that the above release notes state that browser policies disconnected in WebView v0.9.622.

Yet it's clear that this change is unrelated to WebView2 version (e.g. policy disconnect still happens with v0.9.430), and is rather tied to Edge v86 release with any compatible WebView2. You might want to correct the page to avoid confusion there.