Develop secure WebView2 apps
WebView2 allows developers to host web content in the native applications. When used correctly, hosting web content offers several advantages, such as using web-based UI, accessing features of the web platform, or sharing code cross-platform.
In a web browser, websites are granted limited powers in a sandboxed environment. However, when hosting web content in a native application, the web content can access the native application's resources and APIs. This can lead to security vulnerabilities if the web content is not properly isolated from the host application. To avoid these vulnerabilities, follow the below practices to improve the security of your WebView2 application.
Treat all web content as insecure
Always check the origin of the document that's running inside WebView2, and assess the trustworthiness of the content, especially before using
ExecuteScript,PostWebMessageAsJson,PostWebMessageAsString, or any other method to send information into the WebView2 control. The WebView2 control may have navigated to another page via the end user interacting with the page or script in the page causing navigation. The origin of the document can be obtained from theSourceproperty of the WebView2 control.Be careful with
AddScriptToExecuteOnDocumentCreated. All futurenavigationsrun the same script, and if that script provides access to information that's intended only for a certain origin, any HTML document may have access to the native application's resources and APIs.Validate web messages and host object parameters before consuming them, because web messages and parameters can be malformed (unintentionally or maliciously) and can cause the app to behave unexpectedly.
When examining the result of an
ExecuteScriptmethod call, which is aWebMessageReceivedevent, always check theSourceproperty of the WebView2 control to check the source of the sender, or check any other mechanism of receiving information from an HTML document in a WebView2 control, to validate that the URI of the HTML document is what you expect.
Avoid generic proxies
Design specific web messages and host object interactions, instead of using generic proxies.
Use PostWebMessageAsJson to send messages
Use the PostWebMessageAsJson method to send messages to the WebView2 control. When constructing a message to send into a WebView2 control, prefer using PostWebMessageAsJson and construct the JSON string parameter using a JSON library. This avoids any potential accidents of encoding information into a JSON string or script, and ensures that no attacker-controlled input can modify the rest of the JSON message or run arbitrary JavaScript code.
Restrict web content functionality
Restrict web content functionality, if it's not needed. Update the WebView2 properties in CoreWebView2Settings to restrict the functionality of the web content, as follows:
Set
AreHostObjectsAllowedtofalse, if you don't expect the web content to access host objects.Set
IsWebMessageEnabledtofalse, if you don't expect the web content to post web messages to your native application.Set
IsScriptEnabledtofalse, if you don't expect the web content to run scripts (for example, when showing static HTML content).Set
AreDefaultScriptDialogsEnabledtofalse, if you don't expect the web content to showalertorpromptdialogs.
Update settings based on the origin of the new page
Update settings based on the origin of the new page, as follows:
To prevent your application from navigating to certain pages, use the
NavigationStartingandFrameNavigationStartingevents to check page or frame navigation, and then conditionally block the navigation.When navigating to a new page, you may need to adjust the property values on the
CoreWebView2Settingsobject to match the security requirements of the new page, as described in Restrict web content functionality, above.
Remove exposed host objects
When navigating to a new document, use the ContentLoading event and RemoveHostObjectFromScript to remove exposed host objects.
WebView2 cannot be run as a system user
WebView2 cannot be run as a system user. This restriction blocks scenarios such as building a Credential Provider.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for