WARP Zero Trust enrollment is broken


Cloudflare Zero Trust enrollment has been broken since the July update. It is still broken in the Beta builds. The Open Cloudflare Warp button does nothing.


I tried to set location.href="com.cloudflare.warp://xxxxxxxx" but it doesn’t do anything. I am using Chrome Version 104.0.5112.81 (Official Build) (64-bit). Doing it from Powershell by invoking Start-Process "com.cloudflare.warp://xxxxxxxxx" works fine. I think it has to do with the handler having dots in the scheme part of the URI, but dots are allowed by RFC3986. I know the handler is not invoked because no logs are generated by the service or the UI application.

Is anyone getting this issue?

I have diagnosed the issue. This is because the URL of com.cloudflare.warp://prevu3d.cloudflareaccess.com/auth?token=eyABCDEFG is bigger than 2048 characters. This must be a limitation on Chrome or something, since it works when invoked from Powershell.

I tested it in Firefox and it just works. It is strange that Cloudflare QA doesn’t test their software in Chrome.

How do I report this problem?

On a side note, there is a big security vulnerability because a threat actor who triggers the protocol handler can enroll the device into a Zero Trust organization which he controls. The only way to protect against this is to set the Allow device to leave organization parameter to false and to ensure that devices are enrolled into your Zero Trust organization. Obviously Cloudflare won’t fix this because all they care about is rushing buggy products out the door.