2022-03-22 21:07:14 +01:00
|
|
|
Serve webviews from the same origin
|
|
|
|
|
|
|
|
Normally webviews are served from vscode-webview.net but we would rather them be
|
|
|
|
self-hosted.
|
|
|
|
|
|
|
|
When doing this CSP will block resources (for example when viewing images) so
|
|
|
|
add 'self' to the CSP to fix that.
|
|
|
|
|
2022-04-14 20:02:52 +02:00
|
|
|
Additionally the service worker defaults to handling *all* requests made to the
|
|
|
|
current host but when self-hosting the webview this will end up including the
|
|
|
|
webview HTML itself which means these requests will fail since the communication
|
|
|
|
channel between the webview and the main thread has not been set up yet as the
|
|
|
|
webview itself is not ready yet (it has no HTML and therefore no script either).
|
|
|
|
Since this code exists only for the authentication case we can just skip it when
|
|
|
|
it is served from the current host as authentication is not a problem if the
|
|
|
|
request is not cross-origin.
|
|
|
|
|
2022-05-04 23:58:49 +02:00
|
|
|
There is also an origin check we bypass (this seems to be related to how the
|
|
|
|
webview host is separate by default but we serve on the same host).
|
|
|
|
|
2022-04-14 20:02:52 +02:00
|
|
|
To test, open a few types of webviews (images, markdown, extension details, etc).
|
|
|
|
|
2022-03-22 21:07:14 +01:00
|
|
|
Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
|
|
|
|
===================================================================
|
|
|
|
--- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
|
|
|
|
+++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
|
2022-06-21 23:51:46 +02:00
|
|
|
@@ -183,7 +183,7 @@ export class BrowserWorkbenchEnvironment
|
2022-03-22 21:07:14 +01:00
|
|
|
|
|
|
|
@memoize
|
|
|
|
get webviewExternalEndpoint(): string {
|
|
|
|
- const endpoint = this.options.webviewEndpoint
|
|
|
|
+ const endpoint = (this.options.webviewEndpoint && new URL(this.options.webviewEndpoint, window.location.toString()).toString())
|
|
|
|
|| this.productService.webviewContentExternalBaseUrlTemplate
|
2022-06-21 23:51:46 +02:00
|
|
|
|| 'https://{{uuid}}.vscode-cdn.net/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/';
|
2022-03-22 21:07:14 +01:00
|
|
|
|
|
|
|
Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
|
|
|
|
===================================================================
|
|
|
|
--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
|
|
|
|
+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
|
2022-06-21 23:51:46 +02:00
|
|
|
@@ -298,6 +298,7 @@ export class WebClientServer {
|
|
|
|
|
|
|
|
const workbenchWebConfiguration = {
|
|
|
|
remoteAuthority,
|
|
|
|
+ webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
|
|
|
|
_wrapWebWorkerExtHostInIframe,
|
|
|
|
developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined },
|
|
|
|
settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
|
|
|
|
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
|
2022-03-22 21:07:14 +01:00
|
|
|
===================================================================
|
2022-06-21 23:51:46 +02:00
|
|
|
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
|
|
|
|
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
|
|
|
|
@@ -5,7 +5,7 @@
|
|
|
|
<meta charset="UTF-8">
|
2022-03-22 21:07:14 +01:00
|
|
|
|
2022-06-21 23:51:46 +02:00
|
|
|
<meta http-equiv="Content-Security-Policy"
|
|
|
|
- content="default-src 'none'; script-src 'sha256-xgIcbQmGjpT42GEj54VFSNh6MI15PZ2D1+DdVehfYBI=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
|
|
|
|
+ content="default-src 'none'; script-src 'sha256-aOCIU83V9nV+0ERJudbrKLqgIVOHqU71i4Lv5urjGTI=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
|
2022-03-22 21:07:14 +01:00
|
|
|
|
2022-06-21 23:51:46 +02:00
|
|
|
<!-- Disable pinch zooming -->
|
|
|
|
<meta name="viewport"
|
|
|
|
@@ -331,6 +331,12 @@
|
2022-03-22 21:07:14 +01:00
|
|
|
|
2022-06-21 23:51:46 +02:00
|
|
|
const hostname = location.hostname;
|
2022-04-14 20:02:52 +02:00
|
|
|
|
2022-06-21 23:51:46 +02:00
|
|
|
+ // It is safe to run if we are on the same host.
|
|
|
|
+ const parent = new URL(parentOrigin)
|
|
|
|
+ if (parent.hostname === hostname) {
|
|
|
|
+ return start(parentOrigin)
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (!crypto.subtle) {
|
|
|
|
// cannot validate, not running in a secure context
|
|
|
|
throw new Error(`Cannot validate in current context!`);
|
|
|
|
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
|
2022-05-04 23:58:49 +02:00
|
|
|
===================================================================
|
2022-06-21 23:51:46 +02:00
|
|
|
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
|
|
|
|
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
|
|
|
|
@@ -330,6 +330,12 @@
|
2022-05-04 23:58:49 +02:00
|
|
|
|
2022-06-21 23:51:46 +02:00
|
|
|
const hostname = location.hostname;
|
2022-05-04 23:58:49 +02:00
|
|
|
|
2022-06-21 23:51:46 +02:00
|
|
|
+ // It is safe to run if we are on the same host.
|
|
|
|
+ const parent = new URL(parentOrigin)
|
|
|
|
+ if (parent.hostname === hostname) {
|
|
|
|
+ return start(parentOrigin)
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (!crypto.subtle) {
|
|
|
|
// cannot validate, not running in a secure context
|
|
|
|
throw new Error(`Cannot validate in current context!`);
|
|
|
|
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
|
|
|
|
===================================================================
|
|
|
|
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
|
|
|
|
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
|
|
|
|
@@ -4,7 +4,7 @@
|
|
|
|
<meta http-equiv="Content-Security-Policy" content="
|
|
|
|
default-src 'none';
|
|
|
|
child-src 'self' data: blob:;
|
|
|
|
- script-src 'self' 'unsafe-eval' 'sha256-fh3TwPMflhsEIpR8g1OYTIMVWhXTLcjQ9kh2tIpmv54=' https:;
|
|
|
|
+ script-src 'self' 'unsafe-eval' 'sha256-yHVIAbzODFRINjoLGID5qWPP45HzMtwhyVRC+7yiuXg=' https:;
|
|
|
|
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
@@ -23,6 +23,13 @@
|
|
|
|
// validation not requested
|
|
|
|
return start();
|
|
|
|
}
|
|
|
|
+
|
2022-05-04 23:58:49 +02:00
|
|
|
+ // It is safe to run if we are on the same host.
|
|
|
|
+ const parent = new URL(parentOrigin)
|
2022-06-21 23:51:46 +02:00
|
|
|
+ if (parent.hostname === hostname) {
|
|
|
|
+ return start()
|
2022-05-04 23:58:49 +02:00
|
|
|
+ }
|
|
|
|
+
|
|
|
|
if (!crypto.subtle) {
|
|
|
|
// cannot validate, not running in a secure context
|
2022-06-21 23:51:46 +02:00
|
|
|
return sendError(new Error(`Cannot validate in current context!`));
|