Bypassing AppProtocol Prompts

Starting in Microsoft Edge 77 (and Chrome 77), the prompt shown when launching an AppProtocol from the browser was changed to remove the “Always allow” checkbox. That change was made, in large part, because this prompt is the only thing standing between every arbitrary site on the Internet (loaded inside your browser’s sandbox) and a full-trust application on your computer (running outside of the browser’s sandbox). See the blog post for more details on why AppProtocols are so scary.

After Edge 77, when you try to launch a Microsoft Teams meeting, for instance, you’ll see a UI like this:

Unfortunately, there’s a downside to this security improvement.

The same prompt that protects users from malicious content on https://BadGuy.example also shows every single time the legitimate Microsoft Teams website tries to open its related application. Users complain that the security prompt feels redundant, and IT departments have howled that they’ll have to retrain users and field helpdesk calls.

In Edge 82.0.425.0 Canary, a new flag was added:

…and in Edge 84 it was enabled by default.

The prompt now includes a new checkbox: “Always allow <hostname> to open links of this type in the associated app”:

By storing exemptions on a per-site, per-scheme basis, attack surface is significantly reduced, because only sites you’ve specifically allowed in the past are permitted to bypass the prompt.

This change is also available in other browsers based on Chromium 84+.

Some notes on this change:

  • Exemptions are stored on a per-scheme, per-origin basis (e.g. “Allow teams: from https://teams.microsoft.com“, so if multiple origins use the same scheme, you’ll need to exempt each one.
  • Stored exemptions are origin specific: https://site.example and https://www.site.example and http://site.example are all different origins.
  • Stored exemptions are only available for secure origins (basically: HTTPS, HTTP-to-Localhost, and FILE).
  • This checkbox can be disabled using Group Policy.
  • Starting in Edge 85, a new Group Policy allows an admin to preapprove exemption pairs (including non-secure origins) on behalf of their users.
  • In Edge 86 and later, you can see user-granted and Group Policy pushed exemptions by navigating to edge://settings/content/applicationLinks in the browser. You can also remove user-granted exemptions in this page.
  • To clear all user-granted exemptions (in any version), you may use the “Cookies and other site data” checkbox in the Clear Browsing Data dialog box. Note that you can set the time range to anything you like– all Origin+Scheme exemptions will be cleared.

You can experiment with this feature using the AppProtocol test page.

-Eric

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ MSFT '01-'12, and '18-, presently working on Microsoft Edge. My words are my own.

4 thoughts on “Bypassing AppProtocol Prompts

  1. We would love an option to only allow “Trusted sites” so that users do not have to decide if they trust a website enough to open the app.

      1. There would have to be a list which can be configured. We do have the concept in Internet Explorer and in Office Applications (trusted Locations).
        Problem with prompts is that they are usually confirmed no matter what text they contain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s