Skip to content

Add SmartScreen as origin feature to TrustedOriginSetting spec #5596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GittyHarsha wants to merge 3 commits into
base: main
Choose a base branch
from
+28 −2
Open

Add SmartScreen as origin feature to TrustedOriginSetting spec #5596

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e3bb6e2
Add SmartScreen as origin feature to TrustedOriginSetting spec
GittyHarsha May 19, 2026
60c61d5
Address PR review comments
GittyHarsha May 19, 2026
cc3a119
Simplify SmartScreen doc: focus on effect, not IsReputationCheckingRe…
GittyHarsha May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 28 additions & 2 deletions specs/TrustedOriginSetting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ This specification introduces the following interfaces:

- AccentColor
- EnhancedSecurityMode
- SmartScreen
Copy link
Copy Markdown
Contributor

@oldnewthing oldnewthing May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, we try to avoid using marketing names in APIs, since marketing names tend to be fickle. E.g. "Drag Tray" changed to "Drop Tray"., "Microsoft Stream" changed to "Clipchamp", "Azure Active Directory" changed to "Entra", "Focus Assist" changed to "Focus Session".

Could this be called ReputationChecking?

This would also align with IsReputationCheckingRequired.


# Example

Expand All @@ -88,10 +89,17 @@ void SetOriginFeatures()
COREWEBVIEW2_ORIGIN_FEATURE_STATE_ENABLED,
&enhancedSecuritySetting));

wil::com_ptr<ICoreWebView2StagingOriginFeatureSetting> smartScreenSetting;
CHECK_FAILURE(stagingProfile3->CreateOriginFeatureSetting(
COREWEBVIEW2_ORIGIN_FEATURE_SMART_SCREEN,
COREWEBVIEW2_ORIGIN_FEATURE_STATE_DISABLED,
&smartScreenSetting));

// Set features for origin patterns
ICoreWebView2StagingOriginFeatureSetting* features[] = {
accentColorSetting.get(),
enhancedSecuritySetting.get()
enhancedSecuritySetting.get(),
smartScreenSetting.get()
Copy link
Copy Markdown
Contributor

@oldnewthing oldnewthing May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May as well leave the trailing comma on this line so the next update will be easier.

};

LPCWSTR origins[] = { L"https://*.contoso.com" };
Expand Down Expand Up @@ -154,6 +162,7 @@ public void SetOriginFeatures()
{
{ CoreWebView2OriginFeature.AccentColor, CoreWebView2OriginFeatureState.Enabled },
{ CoreWebView2OriginFeature.EnhancedSecurityMode, CoreWebView2OriginFeatureState.Enabled },
{ CoreWebView2OriginFeature.SmartScreen, CoreWebView2OriginFeatureState.Disabled },
};

// Set features for origin patterns
Expand Down Expand Up @@ -203,6 +212,22 @@ typedef enum COREWEBVIEW2_ORIGIN_FEATURE {
/// For more information about Enhanced Security Mode, see:
/// https://learn.microsoft.com/en-us/microsoft-edge/webview2/concepts/security
COREWEBVIEW2_ORIGIN_FEATURE_ENHANCED_SECURITY_MODE,
/// Specifies SmartScreen reputation check settings for the origin.
/// SmartScreen protects users from phishing and malware by checking navigated
/// URLs and downloaded files against a cloud-based reputation service.
/// By default, SmartScreen is enabled for all origins. Setting this feature to
/// `Disabled` for an origin will skip SmartScreen reputation checks for
/// navigations and downloads from that origin, effectively allow-listing it.
Copy link
Copy Markdown
Contributor

@david-risney david-risney May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good suggestion.

///
/// Warning: Disabling SmartScreen for an origin bypasses phishing and malware
/// reputation checks. Only disable for fully trusted, app-controlled origins
/// where the content is known to be safe.
///
/// This per-origin configuration only takes effect when SmartScreen is
/// enabled. If SmartScreen is disabled via
/// [IsReputationCheckingRequired](https://learn.microsoft.com/en-us/dotnet/api/microsoft.web.webview2.core.corewebview2settings.isreputationcheckingrequired),
/// this setting has no effect.
COREWEBVIEW2_ORIGIN_FEATURE_SMART_SCREEN,
} COREWEBVIEW2_ORIGIN_FEATURE;

/// Specifies the state of the origin feature.
Expand Down Expand Up @@ -234,7 +259,7 @@ interface ICoreWebView2StagingProfile3 : IUnknown {
/// Configures one or more feature settings for the specified origins.
///
/// This method applies feature configurations—such as accent color support,
/// or enhanced security mode—to origins. Origins
/// enhanced security mode, or SmartScreen reputation checking—to origins. Origins
/// may be provided as exact origin strings or as wildcard patterns.
///
/// The origin pattern can be an exact origin string or a wildcard pattern.
Expand Down Expand Up @@ -336,6 +361,7 @@ namespace Microsoft.Web.WebView2.Core
{
AccentColor = 0,
EnhancedSecurityMode = 1,
SmartScreen = 2,
};

runtimeclass CoreWebView2OriginFeatureSetting
Expand Down