Skip to content

vsix extensions that utilise webviews are blocked by CSP #4098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bassforce86 opened this issue Sep 3, 2021 · 4 comments
Closed

vsix extensions that utilise webviews are blocked by CSP #4098

bassforce86 opened this issue Sep 3, 2021 · 4 comments
Labels
bug Something isn't working
Milestone
3.12.0

Comments

@bassforce86
Copy link

bassforce86 commented Sep 3, 2021
edited
Loading

Similar to #1530

vscode-webview.net is blocked by the current CSP, could it be considered to be adding to the allowlist?

Refused to load the stylesheet 'https://vscode-remote+localhost.vscode-resource.vscode-webview.net:1337/<$HOME>/.local/share/code-server/extensions/mhutchie.git-graph-1.30.0/media/out.min.css' 
because it violates the following Content Security Policy directive: "style-src https://*.vscode-webview.net 'unsafe-inline'". 
Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

Extension issue was found against: mhutchie/vscode-git-graph#535

Reproduction:

  • run code-server locally via any port
  • open code-server in Chrome / Firefox
  • install git-graph extension
  • open a folder with a git project open (so some history is shown)
  • open git graph
  • see that the view is broken. (caused by CSP blocking out.min.css)

Code Server Info:

code-server: v3.11.1
VS Code: v1.57.1
Commit: c680aae
Date: 2021-08-06T18:33:37Z
Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.31 Safari/537.36
@bassforce86 bassforce86 added the feature New user visible feature label Sep 3, 2021
@jsjoeio jsjoeio added bug Something isn't working and removed feature New user visible feature labels Sep 3, 2021
@jsjoeio
Copy link
Contributor

jsjoeio commented Sep 3, 2021

Yeah, I think when we landed #3895 it caused this issue.

Thanks for opening and providing repro steps! We'll take a look.

@jsjoeio jsjoeio added this to the On Deck milestone Sep 3, 2021
@jsjoeio jsjoeio self-assigned this Sep 3, 2021
@bassforce86
Copy link
Author

bassforce86 commented Sep 5, 2021
edited
Loading

Without pulling locally, i'd hazard a guess that the initial resource check it causing this issue:
https://github.com/cdr/code-server/blob/67b23aaa1da46da4e2a10e3a6bd5e7127d79d284/lib/vscode/src/vs/workbench/api/common/shared/webview.ts#L46

as almost all resources will - at some point, reference http / https which I suspect is causing the authorities not to be loaded because of the return early.

@jsjoeio
Copy link
Contributor

jsjoeio commented Sep 7, 2021

Thanks for digging into that! That sounds likely, but I'll have to investigate to double-check. Hoping to get to this soon 🙏

@jsjoeio jsjoeio modified the milestones: On Deck, 3.12.0 Sep 7, 2021
@jsjoeio jsjoeio removed their assignment Sep 9, 2021
@jsjoeio jsjoeio mentioned this issue Sep 10, 2021
Merged
1 task
@jsjoeio
Copy link
Contributor

jsjoeio commented Sep 10, 2021

Fixed by #4131

@jsjoeio jsjoeio closed this as completed Sep 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
3.12.0
Development

No branches or pull requests
2 participants
@jsjoeio @bassforce86