Starting in Microsoft Edge 77 (and Chrome 77), the prompt shown when launching an AppProtocol from the browser was changed to remove the “Always allow” checkbox. That change was made, in large part, because this prompt is the only thing standing between every arbitrary site on the Internet (loaded inside your browser’s sandbox) and a full-trust application on your computer (running outside of the browser’s sandbox). See the blog post for more details on why AppProtocols are so scary.
After Edge 77, when you try to launch a Microsoft Teams meeting, for instance, you’ll see a UI like this:
Unfortunately, there’s a downside to this security improvement.
The same prompt that protects users from malicious content on https://BadGuy.example also shows every single time the legitimate Microsoft Teams website tries to open its related application. Users complain that the security prompt feels redundant, and IT departments have howled that they’ll have to retrain users and field helpdesk calls.
In Edge 82.0.425.0 Canary, a new flag was added:
…and in Edge 84 it was enabled by default.
The prompt now includes a new checkbox: “Always allow <hostname> to open links of this type in the associated app”:
By storing exemptions on a per-site, per-scheme basis, attack surface is significantly reduced, because only sites you’ve specifically allowed in the past are permitted to bypass the prompt.
This change is also available in other browsers based on Chromium 84+.
Some notes on this change:
- Exemptions are stored on a per-scheme, per-origin basis (e.g. “Allow teams: from https://teams.microsoft.com“, so if multiple origins use the same scheme, you’ll need to exempt each one.
- Stored exemptions are origin specific:
https://site.exampleand https://www.site.example and http://site.exampleare all different origins. - Stored exemptions are only available for secure origins (basically: HTTPS, HTTP-to-Localhost, and FILE).
- This checkbox can be disabled using Group Policy.
- Starting in Edge 85, a new Group Policy allows an admin to preapprove exemption pairs (including non-secure origins) on behalf of their users.
- In Edge 86 and later, you can see user-granted and Group Policy pushed exemptions by navigating to
edge://settings/content/applicationLinksin the browser. You can also remove user-granted exemptions in this page. - To clear all user-granted exemptions (in any version), you may use the “Cookies and other site data” checkbox in the Clear Browsing Data dialog box. Note that you can set the time range to anything you like– all Origin+Scheme exemptions will be cleared.
You can experiment with this feature using the AppProtocol test page.
-Eric
We would love an option to only allow “Trusted sites” so that users do not have to decide if they trust a website enough to open the app.
How would Edge know whether you think a site should be considered a “trusted site”?
There would have to be a list which can be configured. We do have the concept in Internet Explorer and in Office Applications (trusted Locations).
Problem with prompts is that they are usually confirmed no matter what text they contain.
Ah, a site list. Some discussion of the topic here: https://textslashplain.com/2020/01/30/security-zones-in-edge/. One challenge is that ideally we’d have not just a site-list, but rather allow policy control over the Sites-To-AllowedSchemes map.