Skip to content

API Review: Trusted Origin APIs #5438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chetanpandey1266 wants to merge 4 commits into
base: user/chetanpandey/TrustedOriginSpecNew
Choose a base branch
from
Open

API Review: Trusted Origin APIs #5438

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0b99599
API review first draft
chetanpandey1266 Nov 12, 2025
d9fb9b3
some minor improvements
chetanpandey1266 Nov 12, 2025
c6bdc55
persistent storage and remove * condition
chetanpandey1266 Nov 24, 2025
d5b13d2
improved comments
chetanpandey1266 Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 213 additions & 0 deletions specs/TrustedOrigin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
Trusted Origin Support for WebView2
===

# Background

WebView2 applications often require different security and feature policies for different origins based on trust levels. Some applications need to enable specific features only for trusted origins while applying stricter security measures to untrusted content.

Currently, WebView2 applies uniform security policies across all origins, which creates two key challenges:
- **Feature Access Control**: Applications cannot selectively enable advanced features (such as certain APIs or capabilities) only for origins they trust, forcing them to either expose these features to all origins or disable them entirely.
- **Performance vs Security Trade-offs**: Security features like Enhanced Security Mode, while important for untrusted content, can impact performance when applied to trusted origins where such protections may be unnecessary.

For example, a content management application might want to allow full feature access and disable security restrictions when loading trusted administrative interfaces, while maintaining strict security policies for user-generated or external content loaded in the same WebView2 instance.

The Trusted Origin API addresses these scenarios by allowing applications to designate specific origins as trusted, enabling fine-grained control over which security and feature policies apply to different content sources.

# Description

This specification introduces the following APIs.

1. On `CoreWebView2Profile`

- **GetOriginSettings**: Get the list of `CoreWebView2OriginSetting` for this profile.
- **CreateOriginSetting**: Create and return a new `CoreWebView2OriginSetting` object.
2. `ICoreWebView2OriginSetting`interface, which exposes get and set APIs for the following features. These APIs are used to set the state of these features.

- AccentColor
- EnhancedSecurityMode
- PersistenceStorage
- TrackingPrevention

The feature state can have three values which are defined by OriginSettingState {
Default,
Allow,
Block}

# Example

## Set Origin Setting for an Origin Pattern

### C++ example

```cpp
void ScenarioTrustedOrigin::SetFeatureForOrigins(std::wstring originPattern)
{
auto stagingProfile3 =
m_webviewProfile.try_query<ICoreWebView2StagingProfile3>();

wil::com_ptr<ICoreWebView2StagingOriginSettingCollection> originSettingCollection;
stagingProfile3->GetOriginSettings(&originSettingCollection);

wil::com_ptr<ICoreWebView2StagingOriginSetting> originSetting;
stagingProfile3->CreateOriginSetting(&originSetting);

CHECK_FAILURE(originSetting->put_OriginPattern(originPattern.c_str()));

// Block Accent Color
CHECK_FAILURE(originSetting->put_AccentColor(OriginSettingState::OriginSettingState_BLOCK));

// Allow Persistence Storage
CHECK_FAILURE(originSetting->put_PersistenceStorage(OriginSettingState::OriginSettingState_ALLOW));

UINT32 count;
CHECK_FAILURE(originSettingCollection->get_Count(&count));
CHECK_FAILURE(originSettingCollection->InsertValueAtIndex(count, originSetting.get()));
}
```

### .NET/WinRT

```c#
var profile = webView2.CoreWebView2.Profile;

var originSetting = profile.CreateOriginSetting();
originSetting.OriginPattern = "https://*.contoso.com";
originSetting.AccentColor = OriginSettingState.Block;
originSetting.PersistenceStorage = OriginSettingState.Allow;

var originSettings = profile.GetOriginSettings();
originSettings.Add(originSetting);
```


# API details

## C++
```cpp
[v1_enum]
typedef enum OriginSettingState {
/// Default state of the feature
OriginSettingState_DEFAULT = 0x0,
/// Allow the feature
OriginSettingState_ALLOW = 0x1,
/// Block the feature
OriginSettingState_BLOCK = 0x2,
} OriginSettingState;

interface ICoreWebView2StagingProfile3 : IUnknown {
/// Gets the list of origin settings associated with this profile.
HRESULT GetOriginSettings(
[out, retval] ICoreWebView2StagingOriginSettingCollection** value);

/// Creates a new `OriginSetting` object.
HRESULT CreateOriginSetting(
[out, retval] ICoreWebView2StagingOriginSetting** value);
}

/// Represents settings for a specific origin.
interface ICoreWebView2StagingOriginSetting : IUnknown {
/// Gets the `AccentColor` property.
[propget] HRESULT AccentColor([out, retval] OriginSettingState* value);


/// Sets the enabled property for Accent Color for the associated origin.
/// The default value for this is `Block`. When set to `Allow`, the origin is
/// allowed to use AccentColor keyword or accent-color CSS property to display OS Accent Color.
[propput] HRESULT AccentColor([in] OriginSettingState value);


/// Gets the `EnhancedSecurityMode` property.
[propget] HRESULT EnhancedSecurityMode([out, retval] OriginSettingState* value);


/// Sets the enabled property for Enhanced Security Mode for the associated origin.
/// When set to `Block`, the origin bypasses Enhanced Security Mode even if
/// Enhanced Security Mode is enabled for the profile. Similarly, when set to `Allow`,
/// the origin enforces Enhanced Security Mode even if Enhanced Security Mode is disabled
/// for the profile.
[propput] HRESULT EnhancedSecurityMode([in] OriginSettingState value);


/// Gets the `OriginPattern` property.
///
/// The caller must free the returned string with `CoTaskMemFree`. See
/// [API Conventions](/microsoft-edge/webview2/concepts/win32-api-conventions#strings).
[propget] HRESULT OriginPattern([out, retval] LPWSTR* value);


/// Sets the origin pattern associated with this origin setting.
/// The origins pattern can be both exact origin strings and wildcard patterns.
/// For wildcard patterns, `*` matches zero or more characters.
/// Examples:
/// | Origin Filter String | What It Matches | Description |
/// |---------|-----------------|-------------|
/// | `https://contoso.com` | Only `https://contoso.com` | Matches the exact origin with specific protocol and hostname |
/// | `https://*.contoso.com` | `https://app.contoso.com`,`https://api.contoso.com`,`https://admin.contoso.com` | Matches any subdomain under the specified domain |
/// | `*://contoso.com` | `https://contoso.com`,`http://contoso.com`,`ftp://contoso.com` | Matches any protocol for the specified hostname |
/// | `*contoso.*` | `https://www.contoso.com`,`http://app.contoso.com` | Matches any protocol and any subdomain under the hostname |
/// | `*example/` | `https://app.example/`,`https://api.example/` | Matches any subdomain and top-level domain variations |
/// | `https://xn--qei.example/` | `https://❤.example/`,`https://xn--qei.example/` | Normalized punycode matches with corresponding Non-ASCII hostnames |
///
/// Note: `*` is not a valid value for OriginPattern.
///
/// The caller must free the returned string with `CoTaskMemFree`. See
/// [API Conventions](/microsoft-edge/webview2/concepts/win32-api-conventions#strings).
[propput] HRESULT OriginPattern([in] LPCWSTR value);


/// Gets the `PersistenceStorage` property.
[propget] HRESULT PersistenceStorage([out, retval] OriginSettingState* value);


/// Sets the enabled property for Persistence Storage for the associated origin.
/// The default value for this is `Block`. When set to `Allow`, the storage created
/// on this origin persists even when browser evicts storage under low disk space conditions.
[propput] HRESULT PersistenceStorage([in] OriginSettingState value);


/// Gets the `TrackingPrevention` property.
[propget] HRESULT TrackingPrevention([out, retval] OriginSettingState* value);


/// Sets the enabled property for Tracking Prevention for the associated origin.
/// When set to `Block`, the origin bypasses Tracking Prevention even if
/// Tracking Prevention is enabled for the profile. Similarly, when set to `Allow`,
/// the origin enforces Tracking Prevention even if Tracking Prevention is disabled
/// for the profile.
[propput] HRESULT TrackingPrevention([in] OriginSettingState value);
}
```

## .Net/WinRT

```c#
namespace Microsoft.Web.WebView2.Core
{
enum Originsettingstate
{
Default = 0,
Allow = 1,
Block = 2,
};

runtimeclass CoreWebView2OriginSetting
{
Originsettingstate AccentColor { get; set; };

Originsettingstate EnhancedSecurityMode { get; set; };

String OriginPattern { get; set; };

Originsettingstate PersistenceStorage { get; set; };

Originsettingstate TrackingPrevention { get; set; };
}

runtimeclass CoreWebView2Profile
{
IVector<CoreWebView2OriginSetting> GetOriginSettings();

CoreWebView2OriginSetting CreateOriginSetting();
}
}
```