Skip to content

[Breaking Change] EnhancedSecurityModeLevel replaced by EnhancedSecurityModeState #132

Description

@Ju-MsGit

EnhancedSecurityModeLevel replaced by EnhancedSecurityModeState – WebView2 Enhanced Security Mode profile API

Summary

WebView2 is replacing the existing EnhancedSecurityModeLevel API with a new EnhancedSecurityModeState API to provide a simpler and more consistent way to control Enhanced Security Mode (ESM) at the profile level.

Details

Scope: WebView2

Purpose: EnhancedSecurityModeState is a rename of EnhancedSecurityModeLevel, which is used to control whether Enhanced Security Mode is enabled or disabled for all WebView2 instances associated with a profile. The rename replaces the level-based enum (Off/Strict) with a clearer state-based enum (Disabled/Enabled) to better communicate the actual state of Enhanced Security Mode.

Behavior

Previously, Enhanced Security Mode was controlled using EnhancedSecurityModeLevel with values Off and Strict. The new EnhancedSecurityModeState replaces this with a straightforward Disabled/Enabled model.

Old API (EnhancedSecurityModeLevel) New API (EnhancedSecurityModeState) Behavior
Off Disabled Enhanced Security Mode is turned off. Normal web platform behavior.
Strict Enabled Enhanced Security Mode is on. Disables JIT compilation and enables additional OS protections.

When Enhanced Security Mode is enabled, it disables JavaScript Just-in-Time (JIT) compilation and enables additional operating system protections across all sites. This may reduce JavaScript performance but protects against zero-day exploits and reduces attack surface. See Enhanced Security Mode for details.

Impact

Apps that currently use CoreWebView2Profile.EnhancedSecurityModeLevel to control Enhanced Security Mode will need to migrate to CoreWebView2Profile.EnhancedSecurityModeState. The old EnhancedSecurityModeLevel API is deprecated and will be removed in a future release.

  • COM: ICoreWebView2ExperimentalProfile9 (deprecated) → ICoreWebView2ExperimentalProfile17 (new)
  • .NET / WinRT: CoreWebView2Profile.EnhancedSecurityModeLevel (deprecated) → CoreWebView2Profile.EnhancedSecurityModeState (new)
  • Enum: CoreWebView2EnhancedSecurityModeLevel (deprecated) → CoreWebView2EnhancedSecurityModeState (new)

Rollout

The EnhancedSecurityModeState API is experimental starting in the 148 pre-release SDK. The deprecated EnhancedSecurityModeLevel API will continue to function during a transition period but will be removed after promotion to stable.

Testing

Migrate your code from EnhancedSecurityModeLevel to EnhancedSecurityModeState and validate that:

  1. Setting EnhancedSecurityModeState to Enabled correctly enables Enhanced Security Mode (JIT disabled, additional OS protections active).
  2. Setting EnhancedSecurityModeState to Disabled correctly disables Enhanced Security Mode.
  3. The setting is not persisted and resets to Disabled when the profile is destroyed and recreated.
  4. Changes apply immediately to new navigations; existing pages require a reload.

Known Changes

  • CoreWebView2EnhancedSecurityModeLevel enum and EnhancedSecurityModeLevel property are deprecated.
  • CoreWebView2EnhancedSecurityModeState enum replaces the level-based model with Disabled/Enabled states.
  • No change to per-origin Enhanced Security Mode configuration via SetOriginFeatures.

App Action

Replace all usage of EnhancedSecurityModeLevel with EnhancedSecurityModeState in your WebView2 application.

Timeline

  • Feature Enablement: EnhancedSecurityModeState is available as experimental in the 149 pre-release SDK. The deprecated EnhancedSecurityModeLevel API will be removed after the new API is promoted to stable.
  • Testing Deadline: Apps are encouraged to complete their migration testing before the stable release.
  • Contact: For questions or concerns, please use the WebView2Feedback repo.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Breaking ChangeNotable change in behavior that may require updating your app

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions