diff --git a/service/process/profile.go b/service/process/profile.go index 8217aa9b..4ade9a0d 100644 --- a/service/process/profile.go +++ b/service/process/profile.go @@ -135,6 +135,12 @@ func (p *Process) IsPortmasterUi(ctx context.Context) bool { // For example: // There may be cases where a system browser is launched from the Portmaster UI, // making it a child of the Portmaster UI process (e.g., user clicked a link in the UI). + // In this case, the parent process tree may look like this: + // Portmaster.exe + // ├─ WebView (PM UI) + // │ └─ WebView (PM UI child) + // └─ System Web Browser ... + // // To ensure that 'p' is the actual Portmaster UI process, we check for the presence // of the 'PORTMASTER_UI_WEBVIEW_PROCESS' environment variable in the process and its parents. // If the env var is set, we are a child (WebView window) of the Portmaster UI process. @@ -146,11 +152,16 @@ func (p *Process) IsPortmasterUi(ctx context.Context) bool { return true // We are a WebView window of the Portmaster UI process. } // The process was launched by the Portmaster UI, but should not be trusted as the Portmaster UI process. - log.Tracer(ctx).Warning(fmt.Sprintf("process: %d '%s' is a child of the Portmaster UI, but does not have the PORTMASTER_UI_WEBVIEW_PROCESS environment variable set. Ignoring.", p.Pid, p.Path)) + log.Tracer(ctx).Warningf("process: %d '%s' is a child of the Portmaster UI, but does not have the PORTMASTER_UI_WEBVIEW_PROCESS environment variable set. Ignoring.", p.Pid, p.Path) return false } // Check if the process has the environment variable set. + // + // It is OK to check for the existence of the environment variable in all + // processes in the parent chain (on all loop iterations). This increases the + // chance of correct detection, even if a child or grandchild WebView process + // did not inherit the environment variable for some reason. if _, ok := proc.Env["PORTMASTER_UI_WEBVIEW_PROCESS"]; ok { hasPmWebviewEnvVar = true } diff --git a/service/profile/special.go b/service/profile/special.go index b7674668..cfff90bc 100644 --- a/service/profile/special.go +++ b/service/profile/special.go @@ -245,7 +245,7 @@ func createSpecialProfile(profileID string, path string) *Profile { // possibly made by the internal WebView implementation — // are blocked. CfgOptionDefaultActionKey: DefaultActionBlockValue, - CfgOptionBlockScopeInternetKey: true, + CfgOptionBlockScopeInternetKey: false, // This is stronger than the rules, and thus must be false in order to access safing.io. CfgOptionBlockScopeLANKey: true, CfgOptionBlockScopeLocalKey: true, CfgOptionBlockP2PKey: true,