Starting in Edge 77 (and Chrome 77), the prompt shown when launching an AppProtocol from the browser was changed to remove the “Always allow” checkbox. That change was made, in large part, because this prompt is the only thing standing between every arbitrary site on the Internet (loaded inside your browser’s sandbox) and a full-trust application on your computer (running outside of the browser’s sandbox). See the prior blog post for details on why AppProtocols are so scary.
After Edge 77, when you try to launch a Microsoft Teams meeting, for instance, you’ll see a UI like this:
Unfortunately, there’s a downside to this security improvement.
The same prompt that protects users from malicious content on https://BadGuy.example also shows every single time the legitimate Microsoft Teams website tries to open its related application. Users complain that the security prompt feels redundant, and IT departments have howled that they’ll have to retrain users and field helpdesk calls.
Starting in Edge 82.0.425.0 Canary, a new flag is available:
Visit edge://flags/#edge-exclude-schemes-per-origin, set the flag to Enabled, and restart the browser. After doing so, you’ll see that the prompt now includes a new checkbox: “Always allow <hostname> to open links of this type in the associated app”:
By storing exemptions on a per-site, per-scheme basis, attack surface is significantly reduced, because only sites you’ve specifically allowed in the past are permitted to bypass the prompt.
This change will also be available in browsers based on Chromium 84.
Some notes on this change:
- Exemptions are stored on a per-scheme, per-origin basis (e.g. “Allow teams: from https://teams.microsoft.com“, so if multiple origins use the same scheme, you’ll need to exempt each one.
- Stored exemptions are origin specific: “https://site.example” and “https://www.site.example” and “http://site.example” are all different origins.
- Stored exemptions are only available for secure origins (basically, HTTPS, HTTP-to-Localhost, and FILE).
- This checkbox is visible by default in Edge 84, but can be disabled using the existing Group Policy.
- At present, there is no Group Policy for an admin to push exemption pairs to the client. We are investigating this request.
- To clear stored exemptions, you may continue to use the “Cookies and other site data” checkbox in the Clear Browsing Data dialog box. Note that you can set the time range to anything you like– all Origin+Scheme exemptions will be cleared.
You can experiment with this feature using the AppProtocol test page.
-Eric
We would love an option to only allow “Trusted sites” so that users do not have to decide if they trust a website enough to open the app.
How would Edge know whether you think a site should be considered a “trusted site”?
There would have to be a list which can be configured. We do have the concept in Internet Explorer and in Office Applications (trusted Locations).
Problem with prompts is that they are usually confirmed no matter what text they contain.
Ah, a site list. Some discussion of the topic here: https://textslashplain.com/2020/01/30/security-zones-in-edge/. One challenge is that ideally we’d have not just a site-list, but rather allow policy control over the Sites-To-AllowedSchemes map.