Bypass invalid SSL certificate for Kestrel server displayed in WebView2

Question

Given

• WPF app starts Kestrel server
• Kestrel listens to http://0.0.0.0:5000 and https://0.0.0.0:6000
• Kestrel is pointed to static HTML file index.html
• WPF shows browser control WebView2 which is pointed to https://127.0.0.1:6000/index.html

Results

• If WebView2 is pointed to http://127.0.0.1:5000/index.html everything works fine
• If WebView2 is pointed to https://127.0.0.1:6000/index.html I get an error about untrusted certificate

Question

• Is it possible to disable or ignore SSL validation for localhost in Kestrel or WebView2

Windows settings shouldn't be touched, e.g. marking "localhost" certificate as trusted in "msmc" or generating self-signed certificates, because this WPF app is supposed to run on different computers.

In other words, there must be an easier way than described in this article.

Kestrel

public class WebServer
{
  public static Task Run()
  {
    var configuration = new ConfigurationBuilder().Build();

    var urls = new[]
    {
      "http://0.0.0.0:7000",
      "https://0.0.0.0:8000"
    };

    var environment = WebHost
      .CreateDefaultBuilder(new string[0])
      .UseConfiguration(configuration)
      .UseUrls(urls)
      .UseContentRoot(Directory.GetCurrentDirectory())
      .UseIISIntegration()
      .UseStartup<WebStartup>();

    return environment.Build().RunAsync();
  }
}

public class WebStartup
{
  public IConfiguration Configuration { get; }

  public WebStartup(IConfiguration configuration)
  {
    Configuration = configuration;
  }

  public void ConfigureServices(IServiceCollection services)
  {
    services.AddSpaStaticFiles(configuration =>
    {
      configuration.RootPath = "index.html";
    });
  }

  public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
  {
    app.UseDeveloperExceptionPage();
    //app.UseHsts();
    //app.UseHttpsRedirection();
    app.UseStaticFiles();
    app.UseSpaStaticFiles();
  }
}

WebView2 Control in WPF

public MainWindow()
{
  WebServer.Run();

  InitializeComponent();

  WebView.Source = new Uri("https://127.0.0.1:6000/index.html"); // HTTP on 5000 works, HTTPS 6000 - no
  WebView.NavigationCompleted += (object sender, CoreWebView2NavigationCompletedEventArgs args) =>
  {
    WebView.InvalidateVisual();
  };
}

Answer 1

Simplifying @padoc's answer:

await webView21.EnsureCoreWebView2Async(
    await CoreWebView2Environment.CreateAsync(
        options: new CoreWebView2EnvironmentOptions(
            additionalBrowserArguments: "--ignore-certificate-errors")));

• EnsureCoreWebView2Async is the necessary call to initialize everything
• It gets passed a new CoreWebView2Environment
• The flag --ignore-certificate-errors command-line flag tells chromium to actually ignore the errors

Answer 2

extensions

 public static CoreWebView2EnvironmentOptions AddArg(this CoreWebView2EnvironmentOptions options, string arg)
        {
            options.AdditionalBrowserArguments += $" {arg}";
            return options;
        }
        public static CoreWebView2EnvironmentOptions AddArg(this CoreWebView2EnvironmentOptions options, string arg,string value)
        {
            options.AdditionalBrowserArguments += $" {arg}={value}";
            return options;
        }

manual config

 var env = await CoreWebView2Environment.CreateAsync(userDataFolder: "Cache",
                    options:new CoreWebView2EnvironmentOptions()
                        .AddArg("--ignore-certificate-errors")
                    );
                await _webBrowser.EnsureCoreWebView2Async(env);

Answer 3

The WebView2 doesn't currently directly expose that feature. If you like, you can open an issue in WebView2 Feedback and we can make a feature request.

As a workaround you might try using the CoreWebView2.CallDevToolsProtocolMethodAsync method to invoke the Security.setIgnoreCertificateErrors DevTools Protocol method. However, I haven't tried setIgnoreCertificateErrors out, and its also marked experimental so not positive it will work in the manner you'd like.