Auto-allow Local Network Access permission at sandbox startup#299
Conversation
|
|
There was a problem hiding this comment.
Pull request overview
This PR reduces repeated “Local Network Access” permission prompts introduced in newer Chromium-based browsers by pre-seeding the corresponding enterprise policy inside the Windows Sandbox before the browser first launches, ensuring internet-banking flows aren’t interrupted across ephemeral sessions.
Changes:
- Adds registry policy writes at sandbox startup to allow Local Network Access for all origins (
*) for both Edge and Chrome. - Mirrors the same policy writes in the manual test WSB generator script.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/TableCloth.App/Components/Implementations/SandboxBuilder.cs | Injects Edge/Chrome LocalNetworkAccessAllowedForUrls policy reg-add commands into the sandbox startup batch script before the first browser launch. |
| tools/make-test-wsb.cs | Updates generated _spork-test-run.cmd to include the same Edge/Chrome Local Network Access policy reg-add commands for manual testing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Chromium 목록형 정책이라 정책 이름을 하위 키로 만들고 "1","2",... 문자열 값으로 항목을 채운다. | ||
| // Edge/Chrome 모두 지원한다(정책 자체는 chrome.*:139- 부터 제공, 팝업은 141 전후로 노출). | ||
| // msedge/chrome 가 처음 뜨기 전에 정책이 들어가야 | ||
| // 새 프로세스가 이를 읽으므로 GPU 정책과 동일하게 batch 단계에서 적용한다. | ||
| var localNetworkAccessScript = @"reg add ""HKLM\SOFTWARE\Policies\Microsoft\Edge\LocalNetworkAccessAllowedForUrls"" /v 1 /t REG_SZ /d ""*"" /f >nul 2>&1 | ||
| reg add ""HKLM\SOFTWARE\Policies\Google\Chrome\LocalNetworkAccessAllowedForUrls"" /v 1 /t REG_SZ /d ""*"" /f >nul 2>&1 | ||
| "; |
| "reg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\CI\\Policy\" /v VerifiedAndReputablePolicyState /t REG_DWORD /d 0 /f >nul 2>&1", | ||
| "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\" /v HardwareAccelerationModeEnabled /t REG_DWORD /d 0 /f >nul 2>&1", | ||
| "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Edge\\LocalNetworkAccessAllowedForUrls\" /v 1 /t REG_SZ /d \"*\" /f >nul 2>&1", | ||
| "reg add \"HKLM\\SOFTWARE\\Policies\\Google\\Chrome\\LocalNetworkAccessAllowedForUrls\" /v 1 /t REG_SZ /d \"*\" /f >nul 2>&1", |
Chrome/Edge 141 introduced the Local Network Access permission, which pops an "허용(Allow)" prompt whenever internet-banking sites reach local security programs/devices (e.g.
banking.nonghyup.com→ "로컬 네트워크에서 원하는 기기를 찾아 연결"). Because the sandbox resets every session, users would face this prompt on every launch. This applies the corresponding Chromium enterprise policy at sandbox start so banking works without interruption.Changes
SandboxBuilder.GenerateSandboxStartupScript— always emitLocalNetworkAccessAllowedForUrls = *for both Edge and Chrome, in the batch stage before the browser first launches (same ordering rationale as the existing Edge GPU policy).tools/make-test-wsb.cs— mirror the same reg commands in the manual test-WSB generator.Notes
LocalNetworkAccessAllowedForUrlsis a Chromium list policy (name as subkey,"1","2"… string values). Supported from Chrome/Edge 139+; it's the long-term policy Chromium recommends over the temporary opt-out flags.*(all origins) is intentional: the sandbox is ephemeral and dedicated solely to internet banking, so a maintained bank-domain allowlist adds cost without benefit.