The recent Windows 10 update for KB5003637 seems to have caused our use of the WebBrowser control to fail. Our applications use a C++ dialog that hosts a web browser control based on the IWebBrowser2 interface and implemented by the COM class 8856f961-340a-11d0-a96b-00c04fd705a2. The control interacts with a bespoke internal 'web server' that is hosted on a localhost port. The web browser is rendering dynamic HTML with a bunch of css and javascript. It's a legacy app that has been working reliably for many years. Our users that have Windows 10 versions 2004, 20H2, and 21H1 are installing the KB5003637, and when they do the web browser does not render the content that it did before. Looking at some trace, I can see that the Web Browser is requesting the page's HTML, which seems to be delivered as it should. What normally happens at that time is that the web browser control requests the css and javascript files needed to make the page active. What happens instead is nothing. The KB5003637 update is pretty big, but does contain fixes for some scripting vulnerabilities described in CVE-2021-31959 which are very much on point. Nothing that I've found so far indicates how this was fixed, the effect that it has on the WebBrowser control, nor what workarounds there might be. Any help would be appreciated.
1 Answers
Turns out that the Windows update I described did change the behavior of the WebBrowser control. Our bespoke web server was not including content type headers for responses to the WebBrowser's request. For the last decade or more, the control was successfully able to figure out what the content was OR it defaulted to the correct content type in the cases that mattered. After the update, the WebBrowser was defaulting to a content type of 'text' for the initial HTML payload. As a result it was not trying to interpret the payload as HTML and therefore no further actions were necessary (like requesting css and js files).
When I changed the code to include a content type header of "text/html" for the initial payload, the application began working. Content type headers are now included with all replies.
- 21
- 3