Consider WARP enrollment process when using a browser with site whitelisting

[jamie-sandbox]

Existing documentation URL(s)

https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/

What changes are you suggesting?

It is not possible to enroll to the WARP zero trust client if your web browser uses a local site whitelist, which is common in high-security or locked-down enterprise environments:

Even when whitelisting <your-team-name>.cloudflareaccess.com, the callback to the local WARP client uses the unusual protocol handler com.cloudflare.warp://, which does not seem to be possible to whitelist, despite trying:

In Microsoft Edge and Google Chrome, the policy is configurable via Group Policy or InTune, and is called URLAllowlist.

A partial workaround is to set the UseWebView2 value at HKEY_LOCAL_MACHINE\SOFTWARE\Cloudflare\CloudflareWARP, however this is not a practical solution as it requires installing WebView2.

Without a better workaround or fix, this completely blocks our progress with WARP.

Additional information

No response

[ranbel]

Thanks for the feedback! Unfortunately there is no better workaround at the moment, but I have passed on your feedback to the WARP product managers. If you have a Cloudflare account team, I'd recommend contacting them so that they can raise an official feature request.

[kseyoss]

We have this exact same issue. It has been preventing us from moving ahead with Cloudflare for the past 18 months. We have our environment fully setup and ready to go, but we can't progress because the weird "com.cloudflare.warp://" protocol request can't be passed through Chrome with a whitelist.

Google support have replicated the problem... fwiw, they blame the dots (apparently it makes the browser think it's a domain, even with the trailing slashes - so I'm told). We have various protocol handlers whitelisted, such as chrome://, file://, etc, and those work fine, just the Cloudflare one that doesn't.

This has become such an issue, and has remained this way for such a length of time, that we started trialling alternatives to Cloudflare.

please also see here: https://issues.chromium.org/issues/335082218

[kseyoss]

Please consider reopening this issue until resolved. Chromium is nearly 80% browser market share. Whilst I appreciate not all will be affected by this, it will be causing issues for many people. I suspect a large number hit this problem and simply move on to one of your competitors.

[jamie-sandbox]

@ranbel Please see comments from @kseyoss. This is a major blocker that's preventing us from moving forward.

It's a shame about the Chromium bug, and I don't agree with Chromium marking it as 'works as intended' when it doesn't...

If the 'protocol' used by WARP registration could be changed to warp:// or cloudflarewarp:// then this would solve the issue.

[kseyoss]

@jamie-sandbox nobody updated here, or the ticket we have open, but they appear to have quietly fixed this.

[jamie-sandbox]

@kseyoss Nice, I'll have to test this further.

@ranbel Can we have official confirmation?

[ranbel]

Glad to hear that it's working for you. We didn't change anything about WARP's protocol handler, but it's possible that Windows fixed a bug on their end.