WebView2Feedback icon indicating copy to clipboard operation
WebView2Feedback copied to clipboard
verified publisher icon MicrosoftEdge

[Problem/Bug]: Download PDF from HTTP blocked

Open Tifoso-1979 opened this issue 1 year ago • 10 comments

What happened?

With version 124.0.2478.51 PDF files have been blocked from HTTP source (internal network). With version 123.0.2420.97 it was working without restriction. I have also tried to add this HTTP source to allow list "insecure content" but it doesn't help.

Importance

Important. My app's user experience is significantly compromised.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

124.0.2478.51

SDK Version

No response

Framework

Other

Operating System

Windows 10

OS Version

Win10, 22H2, 19045.4291

Repro steps

download pdf from http source (internal trusted network/Source). pdf have been blocked, error message "file can't be downloaded"

Repros in Edge Browser

Yes, issue can be reproduced in the corresponding Edge version

Regression

Regression in newer Runtime

Last working version (if regression)

123.0.2420.97

AB#50289352

Tifoso-1979 avatar Apr 23 '24 09:04 Tifoso-1979

additional note: the problems seems to be releated with the build in pdf viewer in edge. open pdf from untrusted source HTTP and try to save show me the error.

Tifoso-1979 avatar Apr 23 '24 13:04 Tifoso-1979

@Tifoso-1979 Do you also see the same issue in Edge browser?

monica-ch avatar Apr 23 '24 18:04 monica-ch

@Tifoso-1979 In WebView2 124.0.2478.51+, downloading files over HTTP is blocked and displays the message “xxx can’t be downloaded securely” . This is by design and aligned to the Chromium "HTTPS by default" initiative to provide enhanced security.

To address the issue you’re facing with the app, here are the workarounds you can consider:

  1. Upgrade to HTTPS: Upgrading to HTTPS can enhance security and may resolve certain issues related to content downloading or display.
  2. Manual File Keeping: For the default downloads UI, instruct end users to manually keep the file when prompted. image
  3. Use DownloadStarting: Implement the DownloadStarting event in your application. This allows the app to handle download requests and potentially block the default download dialog, enabling downloads to proceed without interruption.

Here’s a sample code snippet on how you might use the DownloadStarting event:

webView.CoreWebView2.DownloadStarting += (sender, args) =>
{
    // Implement custom download handling logic here
    args.Handled = true; // Set to true to block the default download dialog
};

monica-ch avatar Apr 23 '24 22:04 monica-ch

thank you for the answer. Is there a possibility to configure an exeption. In the edge browser settings it is possiblice to configure and allow insecure content but this is not matching with the buildin pdf viewer.

image

Tifoso-1979 avatar Apr 24 '24 06:04 Tifoso-1979

We are also experiencing this issue with the build mentioned... When our users attempt to download a PDF from our online cloud platform the PDF will pop out in a new window (Edge window). The URL field with some content is about:blank and cannot be exempt. There's no error message but the file doesn't appear in the downloads section of Edge. The file "downloaded" does appear in the saved location but will disappear once the Edge session is closed. about_blank

The URL field with other content we attempt to download (from the same cloud platform) will show the full https://* URL and we can successfully download the PDF. https_url

When we download content from the about:blank page and save the files to Folder-A it remains visible and accessible until we close the Edge session. Immediately upon closing the Edge session is when the data will disappear. If we copy Folder-A and paste that to Folder-B, the content will remain in Folder-B but disappear from Folder-A.

mrn3ff avatar Apr 25 '24 17:04 mrn3ff

Same as here with the Edge Browser https://techcommunity.microsoft.com/t5/enterprise/mixed-mode-content-download-warning/m-p/4118977 But there is no setting in WebView2 for "Insecure downloads over HTTP"

andrej-w avatar Apr 30 '24 04:04 andrej-w

@Tifoso-1979 @andrej-w Currently, there is no direct API or setting in WebView2 that allows you to add sites and explicitly allow “insecure content.”

Could you please create a feature request with us? Keep in mind that it may take some time for us to investigate and release the requested feature due to backlog priorities. However, you can follow a workaround.

monica-ch avatar Apr 30 '24 20:04 monica-ch

@Tifoso-1979 @andrej-w @mrn3ff We've reverted the download warning in Edge/Webview2 for HTTP in recent stable patch see here and expected to be turn on very soon. Please work on to upgrading to HTTPS or use DownloadStarting to allow downloads to avoid issues when the feature is turned on.

monica-ch avatar Apr 30 '24 22:04 monica-ch

We recommend you to setup automated pipeline to test important features with pre-release channel to figure out this regression way ahead of stable.

https://github.com/MicrosoftEdge/WebView2Announcements/issues/93

monica-ch avatar Apr 30 '24 22:04 monica-ch

@monica-ch thank you for the help. With the version 124.0.2478.67 it is working as before. In the release notes it is written that this security will be enabled again with version 127.x. For me it is important that we can configure exceptions which are working for the built-in pdf feature and classic browser mode.

image

Tifoso-1979 avatar May 01 '24 05:05 Tifoso-1979

@Tifoso-1979 I am closing the current issue. Feel free to open a feature request to allow/block Insecure content in WV2.

monica-ch avatar May 13 '24 17:05 monica-ch