OCram85/code-server
Archived
1
0
Fork 0
Code Pull Requests 2 Activity
This repository has been archived on 2024-09-09. You can view files and clone it, but cannot push or open issues or pull requests.
6d8ed77fb0
code-server/patches/webview.diff

144 lines
7.2 KiB
Diff
Raw Normal View History

chore: move to patches (#4997) * Move integration types into code-server This will be easier to maintain than to have it as a patch. * Disable connection token Using a flag means we will not need to patch it out. I think this is new from 1.64? * Add product.json to build process This way we do not have to patch it. * Ship with remote agent package.json Instead of the root one. This contains fewer dependencies. * Let Code handle errors This way we will not have to patch Code to make this work and I think it makes sense to let Code handle the request. If we do want to handle errors we can do it cleanly by patching their error handler to throw instead. * Move manifest override into code-server This way we will not have to patch it. * Move to patches - Switch submodule to track upstream - Add quilt to the process - Add patches The node-* ignore was ignoring one of the diffs so I removed it. This was added when we were curling Node as node-v{version}-darwin-x64 for the macOS build but this no longer happens (we use the Node action to install a specific version now so we just use the system-wide Node). * Use pre-packaged Code
2022-03-22 21:07:14 +01:00
Serve webviews from the same origin
Normally webviews are served from vscode-webview.net but we would rather them be
self-hosted.
When doing this CSP will block resources (for example when viewing images) so
add 'self' to the CSP to fix that.
fix: webviews failing to load the iframe HTML (#5103) Code added in 1.65.0 broke webviews when you are hosting them from the same domain.
2022-04-14 20:02:52 +02:00
Additionally the service worker defaults to handling *all* requests made to the
current host but when self-hosting the webview this will end up including the
webview HTML itself which means these requests will fail since the communication
channel between the webview and the main thread has not been set up yet as the
webview itself is not ready yet (it has no HTML and therefore no script either).
Since this code exists only for the authentication case we can just skip it when
it is served from the current host as authentication is not a problem if the
request is not cross-origin.
chore: upgrade Code to 1.66 (#5135) * chore: upgrade Code to 1.66 * docs: update docs for Code upgrades * fixup!: docs * chore: update vscode submodule * chore: update integration patch * chore: update node-version patch * chore: update github-auth patch They completely changed how auth is handled for GitHub in https://github.com/microsoft/vscode/pull/145424 so our patch may not work. Will need to test and revisit. * refactor: remove postinstall patch It appears they renamed postinstall.js to postinstall.mjs and removed the use of `rimraf` which means our patch is no longer needed! :tada: https://github.com/microsoft/vscode/commit/b0e8554cced292871a67748a18926cfd02f4e840 * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: bulk refresh patches * fixup!: docs formatting * refactor: remove unused last-opened patch * fixup!: formatting docs * fixup!: formatting docs * refactor: remove rsync postinstall * Revert "refactor: remove rsync postinstall" This reverts commit 8d6b613e9d779ba18d0297710614516cde108bcf. * refactor: update postinstall.js to .mjs * feat(patches): add parent-origin bypass * docs(patches): add notes for testing store-socket * docs(patches): update testing info for node-version * refactor(patches): delete github-auth.diff patch * docs(patches): add notes for testing connection-type * fixup!: delete github-auth patch * fixup!: update connection type testing * docs(patches): add notes to insecure-notification.diff * docs(patches): add nots for update-check.diff * fixup!: remove comma in integration patch * fix(e2e): disable workspace trust * refactor: add --no-default-rc for yarn install * feat(patches): remove yarnrc in presinstall * fixup!: silly mistake * docs: add note about KEEP_MODULES=1 * docs(patches): add testing notes for node-version * refactor(patches): remove node-version It appears this is no longer needed due to the `remote/package.json` now which targets node rather than electron. * fixup!: add cd ../.. to code upgrade instructions * fixup!: add note to yarn --production flag * fixup!: make parent-origin easier to upstream * Revert "refactor(patches): delete github-auth.diff patch" This reverts commit 31a354a34345309fadc475491b392d7601e51a32. * Revert "fixup!: delete github-auth patch" This reverts commit bdeb5212e8c7be6cadd109941b486a4bcdae69fa. * Merge webview origin patch into webview patch * Remove unused post-install patch * Prevent builtin extensions from updating * Refresh sourcemaps patch * Update Node to v16 This matches the version in ./lib/vscode/remote/.yarnrc. I changed the engine to exactly 16 since if you use any different version it will just not work since the modules will have been built for 16 (due to the .yarnrc). * Replace fs.rmdir with fs.rm Node is showing a deprecation warning about it. * Update github-auth patch The local credentials provider is no longer used when there is a remote so this code moved into the backend web credential provider. * Prevent fs.rm from erroring about non-existent files We were using fs.rmdir which presumably did not have the same behavior in v14 (in v16 fs.rmdir also errors). * Install Python 3 in CentOS CI container Co-authored-by: Asher <ash@coder.com>
2022-05-04 23:58:49 +02:00
There is also an origin check we bypass (this seems to be related to how the
webview host is separate by default but we serve on the same host).
fix: webviews failing to load the iframe HTML (#5103) Code added in 1.65.0 broke webviews when you are hosting them from the same domain.
2022-04-14 20:02:52 +02:00
To test, open a few types of webviews (images, markdown, extension details, etc).
chore: update Code to 1.72.2 (#5650) * chore: update Code to 1.72.2 * chore: refresh integration patch * chore: refresh base-path * chore: refresh proposed-api patch * chore: refresh marketplace patch * chore: refresh webview patch * chore: refresh disable-builtin patch * chore: refresh logout, update-check patches * chor: refresh proxy-uri patch * fix: delete unique-db patch This was supposed to be removed in https://github.com/coder/code-server/pull/5519 Looks like I didn't update the series or actually delete the patch. * fix: drop log-level patch This was merged upstream! * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: refresh sourcemaps patch * chore: refresh disable-downloads patch * chore: refresh telemetry patch * chore: refresh language patch * chore: refresh cli-window-open patch * Revert "fix: delete unique-db patch" This reverts commit ca0506c5f6b49da5644697bb2f5b29d135a8d201. * fixup!: rm extra spaces integration patch * fixup: space * fixup! update unique-db patch * fixup!: update hash in webview patch * fixup! update marketplace patch * fixup!: remove comma
2022-10-18 01:30:39 +02:00
Make sure to update the hash. To do so:
1. run code-server
2. open any webview (i.e. preview Markdown)
3. see error in console and copy hash
fix: CSP and webview errors (#5712) * fix: update hashes in webview patch We missed a hash update and also had the wrong hash for another HTML file which caused issues in 4.8.0. * refactor: move parent-origin into webview
2022-10-26 20:20:11 +02:00
That will test the hash change in pre/index.html
Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
which also requires a hash change.
parentOriginHash changes
This fixes webviews from not working properly due to a change upstream.
Upstream added a check to ensure parent authority is encoded into the webview
origin. Since our webview origin is the parent authority, we can bypass this
check.
chore: move to patches (#4997) * Move integration types into code-server This will be easier to maintain than to have it as a patch. * Disable connection token Using a flag means we will not need to patch it out. I think this is new from 1.64? * Add product.json to build process This way we do not have to patch it. * Ship with remote agent package.json Instead of the root one. This contains fewer dependencies. * Let Code handle errors This way we will not have to patch Code to make this work and I think it makes sense to let Code handle the request. If we do want to handle errors we can do it cleanly by patching their error handler to throw instead. * Move manifest override into code-server This way we will not have to patch it. * Move to patches - Switch submodule to track upstream - Add quilt to the process - Add patches The node-* ignore was ignoring one of the diffs so I removed it. This was added when we were curling Node as node-v{version}-darwin-x64 for the macOS build but this no longer happens (we use the Node action to install a specific version now so we just use the system-wide Node). * Use pre-packaged Code
2022-03-22 21:07:14 +01:00
Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
+++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
Update Code to 1.75.0 (#6004) * Update Code to 1.75.0 - getting-started.diff: The way to get an icon's class changed - proxy-uri.diff: The product service is passed in so we can get the proxy URI from that now instead of passing it in separately. * Remove workspace trust test Something in how/when Code displays the trust dialog appears to have changed, failing the test. I am not sure it makes sense for us to be testing upstream code anyway. * Use regular Node for watch Since we spawn the watch script with ts-node it was using ts-node for the web server spawn as well. With latest Code there are for some reason type errors (it cannot find @types/node) but this is already compiled code which already passed type checks; any type errors here are useless. To fix spawn with regular Node. * Fix some workers not loading
2023-02-07 23:22:06 +01:00
@@ -224,7 +224,7 @@ export class BrowserWorkbenchEnvironment
chore: move to patches (#4997) * Move integration types into code-server This will be easier to maintain than to have it as a patch. * Disable connection token Using a flag means we will not need to patch it out. I think this is new from 1.64? * Add product.json to build process This way we do not have to patch it. * Ship with remote agent package.json Instead of the root one. This contains fewer dependencies. * Let Code handle errors This way we will not have to patch Code to make this work and I think it makes sense to let Code handle the request. If we do want to handle errors we can do it cleanly by patching their error handler to throw instead. * Move manifest override into code-server This way we will not have to patch it. * Move to patches - Switch submodule to track upstream - Add quilt to the process - Add patches The node-* ignore was ignoring one of the diffs so I removed it. This was added when we were curling Node as node-v{version}-darwin-x64 for the macOS build but this no longer happens (we use the Node action to install a specific version now so we just use the system-wide Node). * Use pre-packaged Code
2022-03-22 21:07:14 +01:00
@memoize
get webviewExternalEndpoint(): string {
- const endpoint = this.options.webviewEndpoint
+ const endpoint = (this.options.webviewEndpoint && new URL(this.options.webviewEndpoint, window.location.toString()).toString())
|| this.productService.webviewContentExternalBaseUrlTemplate
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
|| 'https://{{uuid}}.vscode-cdn.net/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/';
chore: move to patches (#4997) * Move integration types into code-server This will be easier to maintain than to have it as a patch. * Disable connection token Using a flag means we will not need to patch it out. I think this is new from 1.64? * Add product.json to build process This way we do not have to patch it. * Ship with remote agent package.json Instead of the root one. This contains fewer dependencies. * Let Code handle errors This way we will not have to patch Code to make this work and I think it makes sense to let Code handle the request. If we do want to handle errors we can do it cleanly by patching their error handler to throw instead. * Move manifest override into code-server This way we will not have to patch it. * Move to patches - Switch submodule to track upstream - Add quilt to the process - Add patches The node-* ignore was ignoring one of the diffs so I removed it. This was added when we were curling Node as node-v{version}-darwin-x64 for the macOS build but this no longer happens (we use the Node action to install a specific version now so we just use the system-wide Node). * Use pre-packaged Code
2022-03-22 21:07:14 +01:00
Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
chore: update Code to 1.70 (#5422) * Update upstream Code to 1.70 * Update CSP hashes * Update comment on remote authority Also remove it from script-src since it is invalid anyway. * Use absolute path for disable download patch Just to keep it consistent with the other imports. We initially added the patch like this so it was not part of the upgrade but might as well fix it now. * Fix inability to change language while code-server is running Co-authored-by: Asher <ash@coder.com>
2022-08-17 03:26:19 +02:00
@@ -302,6 +302,7 @@ export class WebClientServer {
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
const workbenchWebConfiguration = {
remoteAuthority,
+ webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
_wrapWebWorkerExtHostInIframe,
chore: update Code to 1.72.2 (#5650) * chore: update Code to 1.72.2 * chore: refresh integration patch * chore: refresh base-path * chore: refresh proposed-api patch * chore: refresh marketplace patch * chore: refresh webview patch * chore: refresh disable-builtin patch * chore: refresh logout, update-check patches * chor: refresh proxy-uri patch * fix: delete unique-db patch This was supposed to be removed in https://github.com/coder/code-server/pull/5519 Looks like I didn't update the series or actually delete the patch. * fix: drop log-level patch This was merged upstream! * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: refresh sourcemaps patch * chore: refresh disable-downloads patch * chore: refresh telemetry patch * chore: refresh language patch * chore: refresh cli-window-open patch * Revert "fix: delete unique-db patch" This reverts commit ca0506c5f6b49da5644697bb2f5b29d135a8d201. * fixup!: rm extra spaces integration patch * fixup: space * fixup! update unique-db patch * fixup!: update hash in webview patch * fixup! update marketplace patch * fixup!: remove comma
2022-10-18 01:30:39 +02:00
developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined, logLevel: this._logService.getLevel() },
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
Update Code to 1.75.0 (#6004) * Update Code to 1.75.0 - getting-started.diff: The way to get an icon's class changed - proxy-uri.diff: The product service is passed in so we can get the proxy URI from that now instead of passing it in separately. * Remove workspace trust test Something in how/when Code displays the trust dialog appears to have changed, failing the test. I am not sure it makes sense for us to be testing upstream code anyway. * Use regular Node for watch Since we spawn the watch script with ts-node it was using ts-node for the web server spawn as well. With latest Code there are for some reason type errors (it cannot find @types/node) but this is already compiled code which already passed type checks; any type errors here are useless. To fix spawn with regular Node. * Fix some workers not loading
2023-02-07 23:22:06 +01:00
@@ -344,7 +345,7 @@ export class WebClientServer {
`script-src 'self' 'unsafe-eval' ${this._getScriptCspHashes(data).join(' ')} 'sha256-fh3TwPMflhsEIpR8g1OYTIMVWhXTLcjQ9kh2tIpmv54=';`, // the sha is the same as in src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
'child-src \'self\';',
`frame-src 'self' https://*.vscode-cdn.net data:;`,
- 'worker-src \'self\' data:;',
+ 'worker-src \'self\' data: blob:;',
'style-src \'self\' \'unsafe-inline\';',
'connect-src \'self\' ws: wss: https:;',
'font-src \'self\' blob:;',
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
chore: move to patches (#4997) * Move integration types into code-server This will be easier to maintain than to have it as a patch. * Disable connection token Using a flag means we will not need to patch it out. I think this is new from 1.64? * Add product.json to build process This way we do not have to patch it. * Ship with remote agent package.json Instead of the root one. This contains fewer dependencies. * Let Code handle errors This way we will not have to patch Code to make this work and I think it makes sense to let Code handle the request. If we do want to handle errors we can do it cleanly by patching their error handler to throw instead. * Move manifest override into code-server This way we will not have to patch it. * Move to patches - Switch submodule to track upstream - Add quilt to the process - Add patches The node-* ignore was ignoring one of the diffs so I removed it. This was added when we were curling Node as node-v{version}-darwin-x64 for the macOS build but this no longer happens (we use the Node action to install a specific version now so we just use the system-wide Node). * Use pre-packaged Code
2022-03-22 21:07:14 +01:00
===================================================================
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
fix: CSP and webview errors (#5712) * fix: update hashes in webview patch We missed a hash update and also had the wrong hash for another HTML file which caused issues in 4.8.0. * refactor: move parent-origin into webview
2022-10-26 20:20:11 +02:00
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
Update Code to 1.75.0 (#6004) * Update Code to 1.75.0 - getting-started.diff: The way to get an icon's class changed - proxy-uri.diff: The product service is passed in so we can get the proxy URI from that now instead of passing it in separately. * Remove workspace trust test Something in how/when Code displays the trust dialog appears to have changed, failing the test. I am not sure it makes sense for us to be testing upstream code anyway. * Use regular Node for watch Since we spawn the watch script with ts-node it was using ts-node for the web server spawn as well. With latest Code there are for some reason type errors (it cannot find @types/node) but this is already compiled code which already passed type checks; any type errors here are useless. To fix spawn with regular Node. * Fix some workers not loading
2023-02-07 23:22:06 +01:00
- content="default-src 'none'; script-src 'sha256-RaCvj6SRgHm+2C3LKzSAamDwa3Bp4u4iQ1Y2Sm+97tE=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-mi72idjvdhsPSBMKFqU82FG/kZVJjKR0TfHLE13gB+w=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
fix: CSP and webview errors (#5712) * fix: update hashes in webview patch We missed a hash update and also had the wrong hash for another HTML file which caused issues in 4.8.0. * refactor: move parent-origin into webview
2022-10-26 20:20:11 +02:00
<!-- Disable pinch zooming -->
<meta name="viewport"
chore: upgrade Code to 1.74.1 (#5909) * chore: upgrade Code to 1.74.1 * chore: remove require in integration.diff I don't know what the impact of this is but in https://github.com/microsoft/vscode/commit/192c67db71e8c261f26e2f34c86a4791ae428b2f they removed the usage of `require` in `server.main.ts`. More details in PR: https://github.com/microsoft/vscode/pull/165831 * chore: update marketplace.diff * chore: update sha hash in webview.diff * chore: update disable-builtin-ext-update.diff If my logic is right, then this patch is now simplified thanks to this: https://github.com/microsoft/vscode/blob/1.74.1/src/vs/workbench/contrib/extensions/browser/extensionsWorkbenchService.ts#L1238 * chore: refresh proxy-uri patch * chore: refresh local-storage.diff * chore: refresh sourcemaps.diff * chore: refresh disable-downloads.diff * chore: refresh display-language.diff * chore: refresh getting-started.diff * docs: update testing notes for cli-window-open * docs: update telemetry testing instructions * fix: add GITHUB_TOKEN to build code-server job Downloading @vscode/ripgrep is failing only in CI so adding this environment variable to see if it increases the rate limit. Ref: https://github.com/microsoft/vscode-ripgrep#github-api-limit-note * refactor: use own cache key build code-server job * temp: disable vscode test * refactor: delete wrapper test * Revert "refactor: delete wrapper test" This reverts commit 3999279b73c3519c7dbb03dfc7076bf26f717e13. * refactor: move vscode tests to e2e (#5911) * wip: migrate vscode tests to e2e * feat: add codeWorkspace to global setup * refactor: only use dir in spawn when we should * wip: migrate more tests * refactor: move all vscode tests to e2e * refactor(ci): move unit to own job * fixup: add codecov to unit test step * Update test/e2e/models/CodeServer.ts * Update test/e2e/models/CodeServer.ts * docs: add note about intercept requests * refactor: rm unused clean() calls * refactor: delete duplicate test * refactor: update 'should not redirect' test * refactor: rm unused imports * refactor: rm unnecessary navigate call in test * fixup: formatting * wip: update test * refactor: modify assertion for proxy * fixup: use REVERSE_PROXY_BASE_PATH * refactor: add helper fn getMaybeProxiedPathname * fixup: formatting * fixup: rm unused import * chore: increase playwright timeout * Revert "chore: increase playwright timeout" This reverts commit a059129252216c5f5cba83e9bca3d90cf658b7be. * chore: rm timeout
2022-12-22 18:25:28 +01:00
@@ -325,6 +325,12 @@
chore: move to patches (#4997) * Move integration types into code-server This will be easier to maintain than to have it as a patch. * Disable connection token Using a flag means we will not need to patch it out. I think this is new from 1.64? * Add product.json to build process This way we do not have to patch it. * Ship with remote agent package.json Instead of the root one. This contains fewer dependencies. * Let Code handle errors This way we will not have to patch Code to make this work and I think it makes sense to let Code handle the request. If we do want to handle errors we can do it cleanly by patching their error handler to throw instead. * Move manifest override into code-server This way we will not have to patch it. * Move to patches - Switch submodule to track upstream - Add quilt to the process - Add patches The node-* ignore was ignoring one of the diffs so I removed it. This was added when we were curling Node as node-v{version}-darwin-x64 for the macOS build but this no longer happens (we use the Node action to install a specific version now so we just use the system-wide Node). * Use pre-packaged Code
2022-03-22 21:07:14 +01:00
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
const hostname = location.hostname;
fix: webviews failing to load the iframe HTML (#5103) Code added in 1.65.0 broke webviews when you are hosting them from the same domain.
2022-04-14 20:02:52 +02:00
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
+ if (parent.hostname === hostname) {
+ return start(parentOrigin)
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
chore: update Code to 1.72.2 (#5650) * chore: update Code to 1.72.2 * chore: refresh integration patch * chore: refresh base-path * chore: refresh proposed-api patch * chore: refresh marketplace patch * chore: refresh webview patch * chore: refresh disable-builtin patch * chore: refresh logout, update-check patches * chor: refresh proxy-uri patch * fix: delete unique-db patch This was supposed to be removed in https://github.com/coder/code-server/pull/5519 Looks like I didn't update the series or actually delete the patch. * fix: drop log-level patch This was merged upstream! * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: refresh sourcemaps patch * chore: refresh disable-downloads patch * chore: refresh telemetry patch * chore: refresh language patch * chore: refresh cli-window-open patch * Revert "fix: delete unique-db patch" This reverts commit ca0506c5f6b49da5644697bb2f5b29d135a8d201. * fixup!: rm extra spaces integration patch * fixup: space * fixup! update unique-db patch * fixup!: update hash in webview patch * fixup! update marketplace patch * fixup!: remove comma
2022-10-18 01:30:39 +02:00
throw new Error(`'crypto.subtle' is not available so webviews will not work. This is likely because the editor is not running in a secure context (https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).`);
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
chore: upgrade Code to 1.66 (#5135) * chore: upgrade Code to 1.66 * docs: update docs for Code upgrades * fixup!: docs * chore: update vscode submodule * chore: update integration patch * chore: update node-version patch * chore: update github-auth patch They completely changed how auth is handled for GitHub in https://github.com/microsoft/vscode/pull/145424 so our patch may not work. Will need to test and revisit. * refactor: remove postinstall patch It appears they renamed postinstall.js to postinstall.mjs and removed the use of `rimraf` which means our patch is no longer needed! :tada: https://github.com/microsoft/vscode/commit/b0e8554cced292871a67748a18926cfd02f4e840 * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: bulk refresh patches * fixup!: docs formatting * refactor: remove unused last-opened patch * fixup!: formatting docs * fixup!: formatting docs * refactor: remove rsync postinstall * Revert "refactor: remove rsync postinstall" This reverts commit 8d6b613e9d779ba18d0297710614516cde108bcf. * refactor: update postinstall.js to .mjs * feat(patches): add parent-origin bypass * docs(patches): add notes for testing store-socket * docs(patches): update testing info for node-version * refactor(patches): delete github-auth.diff patch * docs(patches): add notes for testing connection-type * fixup!: delete github-auth patch * fixup!: update connection type testing * docs(patches): add notes to insecure-notification.diff * docs(patches): add nots for update-check.diff * fixup!: remove comma in integration patch * fix(e2e): disable workspace trust * refactor: add --no-default-rc for yarn install * feat(patches): remove yarnrc in presinstall * fixup!: silly mistake * docs: add note about KEEP_MODULES=1 * docs(patches): add testing notes for node-version * refactor(patches): remove node-version It appears this is no longer needed due to the `remote/package.json` now which targets node rather than electron. * fixup!: add cd ../.. to code upgrade instructions * fixup!: add note to yarn --production flag * fixup!: make parent-origin easier to upstream * Revert "refactor(patches): delete github-auth.diff patch" This reverts commit 31a354a34345309fadc475491b392d7601e51a32. * Revert "fixup!: delete github-auth patch" This reverts commit bdeb5212e8c7be6cadd109941b486a4bcdae69fa. * Merge webview origin patch into webview patch * Remove unused post-install patch * Prevent builtin extensions from updating * Refresh sourcemaps patch * Update Node to v16 This matches the version in ./lib/vscode/remote/.yarnrc. I changed the engine to exactly 16 since if you use any different version it will just not work since the modules will have been built for 16 (due to the .yarnrc). * Replace fs.rmdir with fs.rm Node is showing a deprecation warning about it. * Update github-auth patch The local credentials provider is no longer used when there is a remote so this code moved into the backend web credential provider. * Prevent fs.rm from erroring about non-existent files We were using fs.rmdir which presumably did not have the same behavior in v14 (in v16 fs.rmdir also errors). * Install Python 3 in CentOS CI container Co-authored-by: Asher <ash@coder.com>
2022-05-04 23:58:49 +02:00
===================================================================
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
Update to 1.75.1
2023-02-13 17:45:24 +01:00
@@ -324,6 +324,12 @@
chore: upgrade Code to 1.66 (#5135) * chore: upgrade Code to 1.66 * docs: update docs for Code upgrades * fixup!: docs * chore: update vscode submodule * chore: update integration patch * chore: update node-version patch * chore: update github-auth patch They completely changed how auth is handled for GitHub in https://github.com/microsoft/vscode/pull/145424 so our patch may not work. Will need to test and revisit. * refactor: remove postinstall patch It appears they renamed postinstall.js to postinstall.mjs and removed the use of `rimraf` which means our patch is no longer needed! :tada: https://github.com/microsoft/vscode/commit/b0e8554cced292871a67748a18926cfd02f4e840 * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: bulk refresh patches * fixup!: docs formatting * refactor: remove unused last-opened patch * fixup!: formatting docs * fixup!: formatting docs * refactor: remove rsync postinstall * Revert "refactor: remove rsync postinstall" This reverts commit 8d6b613e9d779ba18d0297710614516cde108bcf. * refactor: update postinstall.js to .mjs * feat(patches): add parent-origin bypass * docs(patches): add notes for testing store-socket * docs(patches): update testing info for node-version * refactor(patches): delete github-auth.diff patch * docs(patches): add notes for testing connection-type * fixup!: delete github-auth patch * fixup!: update connection type testing * docs(patches): add notes to insecure-notification.diff * docs(patches): add nots for update-check.diff * fixup!: remove comma in integration patch * fix(e2e): disable workspace trust * refactor: add --no-default-rc for yarn install * feat(patches): remove yarnrc in presinstall * fixup!: silly mistake * docs: add note about KEEP_MODULES=1 * docs(patches): add testing notes for node-version * refactor(patches): remove node-version It appears this is no longer needed due to the `remote/package.json` now which targets node rather than electron. * fixup!: add cd ../.. to code upgrade instructions * fixup!: add note to yarn --production flag * fixup!: make parent-origin easier to upstream * Revert "refactor(patches): delete github-auth.diff patch" This reverts commit 31a354a34345309fadc475491b392d7601e51a32. * Revert "fixup!: delete github-auth patch" This reverts commit bdeb5212e8c7be6cadd109941b486a4bcdae69fa. * Merge webview origin patch into webview patch * Remove unused post-install patch * Prevent builtin extensions from updating * Refresh sourcemaps patch * Update Node to v16 This matches the version in ./lib/vscode/remote/.yarnrc. I changed the engine to exactly 16 since if you use any different version it will just not work since the modules will have been built for 16 (due to the .yarnrc). * Replace fs.rmdir with fs.rm Node is showing a deprecation warning about it. * Update github-auth patch The local credentials provider is no longer used when there is a remote so this code moved into the backend web credential provider. * Prevent fs.rm from erroring about non-existent files We were using fs.rmdir which presumably did not have the same behavior in v14 (in v16 fs.rmdir also errors). * Install Python 3 in CentOS CI container Co-authored-by: Asher <ash@coder.com>
2022-05-04 23:58:49 +02:00
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
const hostname = location.hostname;
chore: upgrade Code to 1.66 (#5135) * chore: upgrade Code to 1.66 * docs: update docs for Code upgrades * fixup!: docs * chore: update vscode submodule * chore: update integration patch * chore: update node-version patch * chore: update github-auth patch They completely changed how auth is handled for GitHub in https://github.com/microsoft/vscode/pull/145424 so our patch may not work. Will need to test and revisit. * refactor: remove postinstall patch It appears they renamed postinstall.js to postinstall.mjs and removed the use of `rimraf` which means our patch is no longer needed! :tada: https://github.com/microsoft/vscode/commit/b0e8554cced292871a67748a18926cfd02f4e840 * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: bulk refresh patches * fixup!: docs formatting * refactor: remove unused last-opened patch * fixup!: formatting docs * fixup!: formatting docs * refactor: remove rsync postinstall * Revert "refactor: remove rsync postinstall" This reverts commit 8d6b613e9d779ba18d0297710614516cde108bcf. * refactor: update postinstall.js to .mjs * feat(patches): add parent-origin bypass * docs(patches): add notes for testing store-socket * docs(patches): update testing info for node-version * refactor(patches): delete github-auth.diff patch * docs(patches): add notes for testing connection-type * fixup!: delete github-auth patch * fixup!: update connection type testing * docs(patches): add notes to insecure-notification.diff * docs(patches): add nots for update-check.diff * fixup!: remove comma in integration patch * fix(e2e): disable workspace trust * refactor: add --no-default-rc for yarn install * feat(patches): remove yarnrc in presinstall * fixup!: silly mistake * docs: add note about KEEP_MODULES=1 * docs(patches): add testing notes for node-version * refactor(patches): remove node-version It appears this is no longer needed due to the `remote/package.json` now which targets node rather than electron. * fixup!: add cd ../.. to code upgrade instructions * fixup!: add note to yarn --production flag * fixup!: make parent-origin easier to upstream * Revert "refactor(patches): delete github-auth.diff patch" This reverts commit 31a354a34345309fadc475491b392d7601e51a32. * Revert "fixup!: delete github-auth patch" This reverts commit bdeb5212e8c7be6cadd109941b486a4bcdae69fa. * Merge webview origin patch into webview patch * Remove unused post-install patch * Prevent builtin extensions from updating * Refresh sourcemaps patch * Update Node to v16 This matches the version in ./lib/vscode/remote/.yarnrc. I changed the engine to exactly 16 since if you use any different version it will just not work since the modules will have been built for 16 (due to the .yarnrc). * Replace fs.rmdir with fs.rm Node is showing a deprecation warning about it. * Update github-auth patch The local credentials provider is no longer used when there is a remote so this code moved into the backend web credential provider. * Prevent fs.rm from erroring about non-existent files We were using fs.rmdir which presumably did not have the same behavior in v14 (in v16 fs.rmdir also errors). * Install Python 3 in CentOS CI container Co-authored-by: Asher <ash@coder.com>
2022-05-04 23:58:49 +02:00
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
+ if (parent.hostname === hostname) {
+ return start(parentOrigin)
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
chore: update Code to 1.72.2 (#5650) * chore: update Code to 1.72.2 * chore: refresh integration patch * chore: refresh base-path * chore: refresh proposed-api patch * chore: refresh marketplace patch * chore: refresh webview patch * chore: refresh disable-builtin patch * chore: refresh logout, update-check patches * chor: refresh proxy-uri patch * fix: delete unique-db patch This was supposed to be removed in https://github.com/coder/code-server/pull/5519 Looks like I didn't update the series or actually delete the patch. * fix: drop log-level patch This was merged upstream! * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: refresh sourcemaps patch * chore: refresh disable-downloads patch * chore: refresh telemetry patch * chore: refresh language patch * chore: refresh cli-window-open patch * Revert "fix: delete unique-db patch" This reverts commit ca0506c5f6b49da5644697bb2f5b29d135a8d201. * fixup!: rm extra spaces integration patch * fixup: space * fixup! update unique-db patch * fixup!: update hash in webview patch * fixup! update marketplace patch * fixup!: remove comma
2022-10-18 01:30:39 +02:00
throw new Error(`'crypto.subtle' is not available so webviews will not work. This is likely because the editor is not running in a secure context (https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts).`);
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
chore: update Code to 1.70 (#5422) * Update upstream Code to 1.70 * Update CSP hashes * Update comment on remote authority Also remove it from script-src since it is invalid anyway. * Use absolute path for disable download patch Just to keep it consistent with the other imports. We initially added the patch like this so it was not part of the upgrade but might as well fix it now. * Fix inability to change language while code-server is running Co-authored-by: Asher <ash@coder.com>
2022-08-17 03:26:19 +02:00
- script-src 'self' 'unsafe-eval' 'sha256-/r7rqQ+yrxt57sxLuQ6AMYcy/lUpvAIzHjIJt/OeLWU=' https:;
fix: CSP and webview errors (#5712) * fix: update hashes in webview patch We missed a hash update and also had the wrong hash for another HTML file which caused issues in 4.8.0. * refactor: move parent-origin into webview
2022-10-26 20:20:11 +02:00
+ script-src 'self' 'unsafe-eval' 'sha256-TkIM/TmudlFEe0ZRp0ptvN54LClwk30Rql4ZPE0hm/I=' https:;
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>
@@ -23,6 +23,13 @@
// validation not requested
return start();
}
+
chore: upgrade Code to 1.66 (#5135) * chore: upgrade Code to 1.66 * docs: update docs for Code upgrades * fixup!: docs * chore: update vscode submodule * chore: update integration patch * chore: update node-version patch * chore: update github-auth patch They completely changed how auth is handled for GitHub in https://github.com/microsoft/vscode/pull/145424 so our patch may not work. Will need to test and revisit. * refactor: remove postinstall patch It appears they renamed postinstall.js to postinstall.mjs and removed the use of `rimraf` which means our patch is no longer needed! :tada: https://github.com/microsoft/vscode/commit/b0e8554cced292871a67748a18926cfd02f4e840 * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: bulk refresh patches * fixup!: docs formatting * refactor: remove unused last-opened patch * fixup!: formatting docs * fixup!: formatting docs * refactor: remove rsync postinstall * Revert "refactor: remove rsync postinstall" This reverts commit 8d6b613e9d779ba18d0297710614516cde108bcf. * refactor: update postinstall.js to .mjs * feat(patches): add parent-origin bypass * docs(patches): add notes for testing store-socket * docs(patches): update testing info for node-version * refactor(patches): delete github-auth.diff patch * docs(patches): add notes for testing connection-type * fixup!: delete github-auth patch * fixup!: update connection type testing * docs(patches): add notes to insecure-notification.diff * docs(patches): add nots for update-check.diff * fixup!: remove comma in integration patch * fix(e2e): disable workspace trust * refactor: add --no-default-rc for yarn install * feat(patches): remove yarnrc in presinstall * fixup!: silly mistake * docs: add note about KEEP_MODULES=1 * docs(patches): add testing notes for node-version * refactor(patches): remove node-version It appears this is no longer needed due to the `remote/package.json` now which targets node rather than electron. * fixup!: add cd ../.. to code upgrade instructions * fixup!: add note to yarn --production flag * fixup!: make parent-origin easier to upstream * Revert "refactor(patches): delete github-auth.diff patch" This reverts commit 31a354a34345309fadc475491b392d7601e51a32. * Revert "fixup!: delete github-auth patch" This reverts commit bdeb5212e8c7be6cadd109941b486a4bcdae69fa. * Merge webview origin patch into webview patch * Remove unused post-install patch * Prevent builtin extensions from updating * Refresh sourcemaps patch * Update Node to v16 This matches the version in ./lib/vscode/remote/.yarnrc. I changed the engine to exactly 16 since if you use any different version it will just not work since the modules will have been built for 16 (due to the .yarnrc). * Replace fs.rmdir with fs.rm Node is showing a deprecation warning about it. * Update github-auth patch The local credentials provider is no longer used when there is a remote so this code moved into the backend web credential provider. * Prevent fs.rm from erroring about non-existent files We were using fs.rmdir which presumably did not have the same behavior in v14 (in v16 fs.rmdir also errors). * Install Python 3 in CentOS CI container Co-authored-by: Asher <ash@coder.com>
2022-05-04 23:58:49 +02:00
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
+ if (parent.hostname === hostname) {
+ return start()
chore: upgrade Code to 1.66 (#5135) * chore: upgrade Code to 1.66 * docs: update docs for Code upgrades * fixup!: docs * chore: update vscode submodule * chore: update integration patch * chore: update node-version patch * chore: update github-auth patch They completely changed how auth is handled for GitHub in https://github.com/microsoft/vscode/pull/145424 so our patch may not work. Will need to test and revisit. * refactor: remove postinstall patch It appears they renamed postinstall.js to postinstall.mjs and removed the use of `rimraf` which means our patch is no longer needed! :tada: https://github.com/microsoft/vscode/commit/b0e8554cced292871a67748a18926cfd02f4e840 * chore: refresh local-storage patch * chore: refresh service-worker patch * chore: bulk refresh patches * fixup!: docs formatting * refactor: remove unused last-opened patch * fixup!: formatting docs * fixup!: formatting docs * refactor: remove rsync postinstall * Revert "refactor: remove rsync postinstall" This reverts commit 8d6b613e9d779ba18d0297710614516cde108bcf. * refactor: update postinstall.js to .mjs * feat(patches): add parent-origin bypass * docs(patches): add notes for testing store-socket * docs(patches): update testing info for node-version * refactor(patches): delete github-auth.diff patch * docs(patches): add notes for testing connection-type * fixup!: delete github-auth patch * fixup!: update connection type testing * docs(patches): add notes to insecure-notification.diff * docs(patches): add nots for update-check.diff * fixup!: remove comma in integration patch * fix(e2e): disable workspace trust * refactor: add --no-default-rc for yarn install * feat(patches): remove yarnrc in presinstall * fixup!: silly mistake * docs: add note about KEEP_MODULES=1 * docs(patches): add testing notes for node-version * refactor(patches): remove node-version It appears this is no longer needed due to the `remote/package.json` now which targets node rather than electron. * fixup!: add cd ../.. to code upgrade instructions * fixup!: add note to yarn --production flag * fixup!: make parent-origin easier to upstream * Revert "refactor(patches): delete github-auth.diff patch" This reverts commit 31a354a34345309fadc475491b392d7601e51a32. * Revert "fixup!: delete github-auth patch" This reverts commit bdeb5212e8c7be6cadd109941b486a4bcdae69fa. * Merge webview origin patch into webview patch * Remove unused post-install patch * Prevent builtin extensions from updating * Refresh sourcemaps patch * Update Node to v16 This matches the version in ./lib/vscode/remote/.yarnrc. I changed the engine to exactly 16 since if you use any different version it will just not work since the modules will have been built for 16 (due to the .yarnrc). * Replace fs.rmdir with fs.rm Node is showing a deprecation warning about it. * Update github-auth patch The local credentials provider is no longer used when there is a remote so this code moved into the backend web credential provider. * Prevent fs.rm from erroring about non-existent files We were using fs.rmdir which presumably did not have the same behavior in v14 (in v16 fs.rmdir also errors). * Install Python 3 in CentOS CI container Co-authored-by: Asher <ash@coder.com>
2022-05-04 23:58:49 +02:00
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
chore: update Code to 1.68 (#5263) * chore: update Code to 1.67 Was able to remove our changes to common/webview.ts since they are upstream now. Other than that no serious changes, just context diffs. * chore: update Code to 1.68 - Upstream moved the web socket endpoint so change the Express route from / to *. That will let web sockets work at any endpoint. - Everything in the workbench config is basically the same but de-indented (upstream extracted it into a separate object which resulted in a de-indent), the ordering is slightly different, and instead of vscodeBase we now need vscodeBase + this._staticRoute since everything is served from a sub-path now. - Move manifest link back to the root since that is where we host our manifest. - Change RemoteAuthoritiesImpl to use the same path building method as in other places (+ instead of using URI.parse/join). - Use existing host/port in RemoteAuthoritiesImpl and BrowserSocketFactory instead of patching them to use window.location (these are set from window.location to begin with so it should be the same result but with less patching). - Since BrowserSocketFactory includes a sub-path now (endpoints were changed upstream to serve from /quality/commit instead of from the root) the patch there has changed to prepend the base to that path (instead of using the base directly). - The workbench HTML now natively supports a base URL in the form of WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore. - Upstream added type="image/x-icon" so I did as well. - Move the language patch to the end of the series so it is easier to eventually remove. - Remove the existing NLS config in favor of one that supports extensions. - Upstream deleted webview main.js and inlined it into the HTML so move that code (the parent origin check) into both those HTML files (index.html and index-no-csp.html). - The remaining diff is from changes to the surrounding context or a line was changed slightly by upstream (for example renamed files or new arguments like to the remote authority resolver). * fix: modify product.json before building Code injects this into the client during the build process so it needs to be updated before we build. * fix: update inline script nonces * Update HTML base path test * fix: missing commit Code overrides it with nothing. The date is also already injected. * fix: web extensions breaking when the commit changes By just using the marketplace directly instead of going through the backend. I am not sure what the point is when searching extensions already goes directly to the marketplace anyway. But also remove the prefix that breaks this as well because otherwise existing installations will break.
2022-06-21 23:51:46 +02:00
return sendError(new Error(`Cannot validate in current context!`));
Copy Permalink