Skip to content

add API spec: IsEnhancedSecurityModeEnabled #5407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: api-IsEnhancedSecurityModeEnabled
Choose a base branch
from
Open

add API spec: IsEnhancedSecurityModeEnabled #5407

wants to merge 7 commits into from

Conversation

@GittyHarsha
Copy link

@GittyHarsha GittyHarsha commented Oct 27, 2025

API to configure Enhanced Security Mode states

@GittyHarsha
Copy link
Author

GittyHarsha commented Oct 28, 2025

@microsoft-github-policy-service agree company="Microsoft"

shrinaths
shrinaths reviewed Oct 30, 2025
View reviewed changes
@GittyHarsha GittyHarsha requested a review from shrinaths October 30, 2025 09:13
david-risney
david-risney reviewed Oct 31, 2025
View reviewed changes
oldnewthing
oldnewthing reviewed Nov 7, 2025
View reviewed changes
specs/IsEnhancedSecurityModeEnabled.md
![image](https://github.com/MicrosoftEdge/WebView2Feedback/assets/82386753/35977716-e46c-4257-82da-906b0c6f833e)

Unlike Microsoft Edge, WebView2 does not support the heuristic-based "Balanced"
level; only Off and Strict are available.
Copy link
Contributor

@oldnewthing oldnewthing Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a possibility that such a mixed mode could arrive in the future? E.g. SetEnhancedSecurityModeExemptDomains("contoso.com") which lets you say "Turn on ESM for all non-contoso sites"?

Could be

enum CoreWebView2EnhancedSecurityMode
{
    Off,
    On,
   // future: OnForUntrustedDomains
}

runtimeclass CoreWebView2Profile
{
    CoreWebView2EnhancedSecurityMode EnhancedSecurityMode { get; set; }
}

?

Copy link
Contributor

@oldnewthing oldnewthing Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, ESM does two things. Suppose that we later think of a third thing. Would we

  1. Add it to the things you get when you enable ESM
  2. Make it another tier of ESM that apps have to opt into [IsEnhancedSecurityMode =very true]
  3. Make it an entirely separate feature (Super-Secure Mode) that apps have to opt into separately from ESM

Copy link
Contributor

@FrankC-msft FrankC-msft Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My expectation based on reading "enabling additional OS protections" is that a third thing could already quietly light up when ESM is on.

If we create this as an enum to make it extensible, should probably be { Off, Strict } (instead of "On") since 3rd+ values (e.g. "Balanced" being supported) would be different flavors of "on".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shrinaths shrinaths Awaiting requested review from shrinaths

@david-risney david-risney Awaiting requested review from david-risney

2 more reviewers

@oldnewthing oldnewthing oldnewthing left review comments

@FrankC-msft FrankC-msft FrankC-msft left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@GittyHarsha @david-risney @oldnewthing @shrinaths @FrankC-msft