[Bug]: Content Security Policy violations breaks various features

[LiveOverflow]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome Version 106.0.5249.119
• Local OS: macOS
• Remote OS: ubuntu:22.04 docker image
• Remote Architecture: amd64
• code-server --version: 4.8.0

Steps to Reproduce

1. Use the Dockerfile below with version 4.8.0 and docker run -p3000:3000 ...
2. Open the browser console and access code-server on 127.0.0.1:3000
3. You should see some CSP errors in the console.
4. When you open a new Jupyter Notebook, you can see it being really broken.

If you use code-server version 4.7.1 there are no CSP violations. So something about CSP must have changed in this version.
Also I have a small suspicion that the issue #5708 is related to this.

FROM ubuntu:22.04
USER root
RUN apt-get update && apt install -y curl

#RUN curl -fsSL https://code-server.dev/install.sh | sh -s -- --version=4.7.1
RUN curl -fsSL https://code-server.dev/install.sh | sh -s -- --version=4.8.0

RUN code-server --force --install-extension ms-python.python --disable-telemetry --disable-update-check
RUN code-server --force --install-extension ms-toolsai.jupyter --disable-telemetry --disable-update-check

EXPOSE 3000
ENTRYPOINT code-server --bind-addr 0.0.0.0:3000 --force --disable-telemetry --disable-update-check --auth none /root/

Expected

No CSP violations

Actual

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval' 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' https:". Either the 'unsafe-inline' keyword, a hash ('sha256-TkIM/TmudlFEe0ZRp0ptvN54LClwk30Rql4ZPE0hm/I='), or a nonce ('nonce-...') is required to enable inline execution.

:3000/stable-129500ee4c8ab7263461ffe327268ba56b9f210d/static/out/vs/workbench/contrib/webview/browser/pre/index.html?id=24c70c6b-57f1-4f62-952d-03f0a65b434b&origin=24c70c6b-57f1-4f62-952d-03f0a65b434b&swVersion=4&extensionId=&platform=browser&vscode-resource-base-authority=vscode-resource.vscode-cdn.net&parentOrigin=http%3A%2F%2F127.0.0.1%3A3000&remoteAuthority=127.0.0.1%3A3000:18 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-IZkGO4jZeUn7pzM6pBZCZc9bUYm8oVNV3z8zEa8gxlk='), or a nonce ('nonce-...') is required to enable inline execution.

index.html:18 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-IZkGO4jZeUn7pzM6pBZCZc9bUYm8oVNV3z8zEa8gxlk='), or a nonce ('nonce-...') is required to enable inline execution.

Logs

No response

Screenshot/Video

Does this issue happen in VS Code or GitHub Codespaces?

• I cannot reproduce this in VS Code.
• I cannot reproduce this in GitHub Codespaces.

Are you accessing code-server over HTTPS?

• I am using HTTPS.

Notes

I have tested this served over https and with the docker setup on localhost as described in this issue.

Sorry I cannot pinpoint the issue better. I'm not familiar with the codebase.

[zzz929625]

Same here

index.html:18 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-IZkGO4jZeUn7pzM6pBZCZc9bUYm8oVNV3z8zEa8gxlk='), or a nonce ('nonce-...') is required to enable inline execution.

[jsjoeio]

I wonder if it has the wrong SHA 🤔 cc @code-asher

[jsjoeio]

This is the issue behind #5711 and #5708 as well