Mixed-content inconsistent behavior, cannot find workaround

[michal-puczynski]

I am developing .net Blazor MAUI application that integrates with local network resources provided by HTTP, either as video stream or REST. The problem I am having that I can reach localhost over HTTP while I cannot reach any of local network resources, as the requested src is converted to HTTPS even though I use CSP.
Here is what I experience:
dotnet/maui#10141 (comment)
For the moment I do not know what am I dealing with, maybe a bug, maybe lack of knowledge.

[victorthoang]

Hello @michal-puczynski,

Thanks for your inquiry. I've assigned your question to a dev that might best answer your question.

@LiangTheDev, would you have any thoughts regarding this? Perhaps one of our colleagues?

[LiangTheDev]

I am not an expert on this. But I think that it is blocked due to mixed content, that is http resources are blocked in https pages.

localhost is special as we know that it is local files and not subject to man in the middle attack, and it is often treated specially.

CSP and mixed content check both has to pass before a sub resource can be loaded.

You could try to use --unsafely-treat-insecure-origin-as-secure command line switch (in AdditionalBrowserArguments of CoreWebView2EnvironmentOptions) to specify the local network sites to treat them as secure. See more description of the command line switches at https://peter.sh/experiments/chromium-command-line-switches/.

[michal-puczynski]

How does it translate to API calls to WebView2 component? Is that something I can change from within .net MAUI application?

[LiangTheDev]

I don't know how MAUI uses WebView2, so can only give clues. Check https://stackoverflow.com/questions/67882953/disabling-of-web-security-when-using-webview2-in-c-sharp-coding-environment to see whether you can find the place to add similar code to your application.
If that doesn't work out, you can try to set environment variable WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS with the desired command line switches before creating the WebView, like at the beginning of the program, or manually set it on the machine where you are testing the application. This should help: https://stackoverflow.com/questions/65970320/how-can-we-add-environment-parameters-to-webview2-under-winui3.

[michal-puczynski]

This is interesting aspect. It works, for the moment only version with setting env before creating WebView.
Example:
System.Environment.SetEnvironmentVariable("WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS", "--unsafely-treat-insecure-origin-as-secure=http://192.168.18.18:8100");
I did a little digging into security aspects in here: https://w3c.github.io/webappsec-secure-contexts/
and it makes me wondering... my content is delivered via https, so it is secure. The the image is via http, but according to that description it shall be classified as "Potentially Trustworthy" just like localhost or file, am I correct?

[LiangTheDev]

This should be related to https://chromestatus.com/feature/4926989725073408.