[Inquiry]: Is it possible to create a list of allowed URLs

[szilvaa-adsk]

Description

I'd like to isolate my application such that it can only access URLs that I allowed in the manifest. Is this possible? The granularity appears to be rather limited: https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation#network-isolation

This would be useful to mitigate the scenario when my app is compromised (e.g. via an input file) and the compromised app wants to exfiltrate stolen data.

[cchavez-msft]

Hi, @szilvaa-adsk.

Thank you so much for your input! This is currently not supported, and we don't have immediate plans for it. We will try to take a look in the future.

Thank you so much for your valuable participation!

[RealAlphabet]

I don't think it's worth implementing such a mechanism for requests made by the Windows API. Most applications use their own HTTP library.

Allowing the App Container to specify a virtual network device (driver) or other L2/L3 network interception mechanism could be useful for more advanced cases.

However, with the arrival of ECH (Encrypted Client Hello) over TLS, it would no longer be possible to determine an origin via Deep Packet Inspection (DPI). DNS detection will also not work when using Secure DNS over HTTPS.