win32-app-isolation icon indicating copy to clipboard operation
win32-app-isolation copied to clipboard
verified publisher icon microsoft

[Inquiry]: Is it possible to create a list of allowed URLs

Open szilvaa-adsk opened this issue 1 year ago • 4 comments

Description

I'd like to isolate my application such that it can only access URLs that I allowed in the manifest. Is this possible? The granularity appears to be rather limited: https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation#network-isolation

This would be useful to mitigate the scenario when my app is compromised (e.g. via an input file) and the compromised app wants to exfiltrate stolen data.

szilvaa-adsk avatar May 23 '24 23:05 szilvaa-adsk

Hi, @szilvaa-adsk.

Thank you so much for your input! This is currently not supported, and we don't have immediate plans for it. We will try to take a look in the future.

Thank you so much for your valuable participation!

cchavez-msft avatar Jun 26 '24 20:06 cchavez-msft

I don't think it's worth implementing such a mechanism for requests made by the Windows API. Most applications use their own HTTP library.

Allowing the App Container to specify a virtual network device (driver) or other L2/L3 network interception mechanism could be useful for more advanced cases.

However, with the arrival of ECH (Encrypted Client Hello) over TLS, it would no longer be possible to determine an origin via Deep Packet Inspection (DPI). DNS detection will also not work when using Secure DNS over HTTPS.

RealAlphabet avatar Jul 23 '24 14:07 RealAlphabet

The right way to implement this would be to block direct outbound network connections but expose a loopback address that points to an HTTP proxy running outside of the app silo.

mikehearn avatar Jan 21 '25 15:01 mikehearn

Allowing the App Container to specify a virtual network device (driver) or other L2/L3 network interception mechanism could be useful for more advanced cases.

The right way to implement this would be to block direct outbound network connections but expose a loopback address that points to an HTTP proxy running outside of the app silo.

Right.

Image Part of: FirewallRules Capability of AppContainers:

  • https://github.com/microsoft/windowsappsdk/issues/219. (but for, both per-app basis and for the other apps, this main app allows to listen to.)

Similar to/A similar feature request:

  1. https://github.com/microsoft/win32-app-isolation/issues/42

mominshaikhdevs avatar Mar 30 '25 05:03 mominshaikhdevs