An Early Look at Security Features in the New Browser Control

Among the differences between the old and new Microsoft Access browser controls is an emphasis on security in the new version. What does that mean for you?

An Early Look at Security Features in the New Browser Control

The new Edge-based browser control just got released in preview, but we're already learning some important things about it.

One thing that's clear is that this control will have much stricter security than the previous one.  Access to the local file system requires a special URL prefix and untrusted domains will open in an external browser (rather than within the control).  

We can expect other restrictions to surface as we learn more about the new control.

Accessing the Local File System

If you want to access a resource on your local file system, you must prefix the path with: https://msaccess/

For example, if you have an html file saved as M:\Sample.html you would access it in the new Edge-based browser control as:

https://msaccess/M:\Sample.html

To display that page in the browser control itself, you would set the Control Source to:

="https://msaccess/M:\Sample.html"

Alternatively, you could store the string https://msaccess/M:\Sample.html in a field named MyURL in a table named MyTable, set the form's RecordSource to MyTable, set the Edge browser control's ControlSource to MyURL, and the form would render the file when it was on that record.

BUG ALERT

At this time, local images and PDFs will not load in the new browser control.  This is a known bug that the team is working on fixing.

One of the new properties in Microsoft Access's modern Edge-based browser control is the TrustedDomains property:

Allows you to specify a table name who's first column contains domains the browser is allowed to renavigate to.

If the Control Source is bound to a field, the browser will already be allowed to navigate to those values. This property is useful if you want to allow redirects that happen during logins, or to allow links to other domains on the starting web page to work.

Over on the Access MVP mailing list, the Access team shared some additional information about the new property:

We added a new Trusted Domains property because by default you can't navigate away from the domain the browser starts at:

https://learn.microsoft.com/en-us/office/vba/api/access.edgebrowsercontrol.trusteddomains

If an external browser window pops up, often this means a redirect occurred, but if the site you redirected to is in your trusted domains then it will not pop up the external browser.

A local file without the msaccess prefix will always open up the external browser though, as the webview is restricted from accessing the file system for security reasons.

The final design of the TrustedDomains functionality is likely up in the air, so if you have feedback about how you think the feature should work, drop a comment below and I'll be sure to pass it along to the Access team.

More to Come

Expect more information about the browser control here as I continue to test it and see how it works.  If there's anything you are particularly curious about, leave a comment below.


External References

EdgeBrowserControl.TrustedDomains property (Access)
Office VBA reference topic

Image by Ryan McGuire from Pixabay

All original code samples by Mike Wolfe are licensed under CC BY 4.0