Share via


CoreWebView2.ServerCertificateErrorDetected Event

Definition

The ServerCertificateErrorDetected event is raised when the WebView2 cannot verify server's digital certificate while loading a web page.

public event EventHandler<Microsoft.Web.WebView2.Core.CoreWebView2ServerCertificateErrorDetectedEventArgs> ServerCertificateErrorDetected;
member this.ServerCertificateErrorDetected : EventHandler<Microsoft.Web.WebView2.Core.CoreWebView2ServerCertificateErrorDetectedEventArgs> 
Public Custom Event ServerCertificateErrorDetected As EventHandler(Of CoreWebView2ServerCertificateErrorDetectedEventArgs) 

Event Type

Examples

// When WebView2 doesn't trust a TLS certificate but host app does, this example bypasses
// the default TLS interstitial page using the ServerCertificateErrorDetected event handler and
// continues the request to a server. Otherwise, cancel the request.
private bool _isServerCertificateError = false;
void ToggleCustomServerCertificateSupport()
{
    // Safeguarding the handler when unsupported runtime is used.
    try
    {
        if (!_isServerCertificateError)
        {
            _iWebView2.CoreWebView2.ServerCertificateErrorDetected += WebView_ServerCertificateErrorDetected;
        }
        else
        {
            _iWebView2.CoreWebView2.ServerCertificateErrorDetected -= WebView_ServerCertificateErrorDetected;
        }
        _isServerCertificateError = !_isServerCertificateError;

        MessageBox.Show(this, "Custom server certificate support has been" +
            (_isServerCertificateError ? "enabled" : "disabled"),
            "Custom server certificate support");
    }
    catch (NotImplementedException exception)
    {
        MessageBox.Show(this, "Custom server certificate support failed: " + exception.Message, "Custom server certificate support");
    }
}

void WebView_ServerCertificateErrorDetected(object sender, CoreWebView2ServerCertificateErrorDetectedEventArgs e)
{
    CoreWebView2Certificate certificate = e.ServerCertificate;

    // Continues the request to a server with a TLS certificate if the error status
    // is of type `COREWEBVIEW2_WEB_ERROR_STATUS_CERTIFICATE_IS_INVALID`
    // and trusted by the host app.
    if (e.ErrorStatus == CoreWebView2WebErrorStatus.CertificateIsInvalid &&
                    ValidateServerCertificate(certificate))
    {
        e.Action = CoreWebView2ServerCertificateErrorAction.AlwaysAllow;
    }
    else
    {
        // Cancel the request for other TLS certificate error types or if untrusted by the host app.
        e.Action = CoreWebView2ServerCertificateErrorAction.Cancel;
    }
}

// Function to validate the server certificate for untrusted root or self-signed certificate.
// You may also choose to defer server certificate validation.
bool ValidateServerCertificate(CoreWebView2Certificate certificate)
{
    // You may want to validate certificates in different ways depending on your app and
    // scenario. One way might be the following:
    // First, get the list of host app trusted certificates and its thumbprint.
    //
    // Then get the last chain element using `ICoreWebView2Certificate::get_PemEncodedIssuerCertificateChain`
    // that contains the raw data of the untrusted root CA/self-signed certificate. Get the untrusted
    // root CA/self signed certificate thumbprint from the raw certificate data and validate the thumbprint
    // against the host app trusted certificate list.
    //
    // Finally, return true if it exists in the host app's certificate trusted list, or otherwise return false.
    return true;
}

// This example clears `AlwaysAllow` response that are added for proceeding with TLS certificate errors.
async void ClearServerCertificateErrorActions()
{
    await _iWebView2.CoreWebView2.ClearServerCertificateErrorActionsAsync();
    MessageBox.Show(this, "message", "Clear server certificate error actions are succeeded");
}

Remarks

This event will raise for all web resources and follows the WebResourceRequested event.

If you don't handle the event, WebView2 will show the default TLS interstitial error page to the user for navigations, and for non-navigations the web request is cancelled.

Note that WebView2 before raising `ServerCertificateErrorDetected` raises a NavigationCompleted event with IsSuccess as FALSE and any of the below WebErrorStatuses that indicate a certificate failure.

For more details see IsSuccess and handle ServerCertificateErrorDetected event or show the default TLS interstitial error page to the user according to the app needs.

WebView2 caches the response when action is AlwaysAllow for the RequestUri's host and the server certificate in the session and the ServerCertificateErrorDetected event won't be raised again.

To raise the event again you must clear the cache using ClearServerCertificateErrorActionsAsync().

Applies to