fix: CSP and webview errors (#5712)
* fix: update hashes in webview patch We missed a hash update and also had the wrong hash for another HTML file which caused issues in 4.8.0. * refactor: move parent-origin into webview
This commit is contained in:
parent
005fa87699
commit
e6d2d72f9c
@ -1,24 +0,0 @@
|
||||
Remove parentOriginHash checko
|
||||
|
||||
This fixes webviews from not working properly due to a change upstream.
|
||||
Upstream added a check to ensure parent authority is encoded into the webview
|
||||
origin. Since our webview origin is the parent authority, we can bypass this
|
||||
check.
|
||||
|
||||
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
|
||||
===================================================================
|
||||
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
|
||||
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
|
||||
@@ -317,6 +317,12 @@ const hostMessaging = new class HostMess
|
||||
const id = searchParams.get('id');
|
||||
|
||||
const hostname = location.hostname;
|
||||
+
|
||||
+ // It is safe to run if we are on the same host.
|
||||
+ const parent = new URL(parentOrigin)
|
||||
+ if (parent.hostname == location.hostname) {
|
||||
+ return start(parentOrigin)
|
||||
+ }
|
||||
|
||||
if (!crypto.subtle) {
|
||||
// cannot validate, not running in a secure context
|
@ -25,6 +25,18 @@ Make sure to update the hash. To do so:
|
||||
2. open any webview (i.e. preview Markdown)
|
||||
3. see error in console and copy hash
|
||||
|
||||
That will test the hash change in pre/index.html
|
||||
|
||||
Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
|
||||
which also requires a hash change.
|
||||
|
||||
parentOriginHash changes
|
||||
|
||||
This fixes webviews from not working properly due to a change upstream.
|
||||
Upstream added a check to ensure parent authority is encoded into the webview
|
||||
origin. Since our webview origin is the parent authority, we can bypass this
|
||||
check.
|
||||
|
||||
Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
|
||||
===================================================================
|
||||
--- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
|
||||
@ -54,6 +66,15 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
|
||||
===================================================================
|
||||
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
|
||||
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
|
||||
@@ -5,7 +5,7 @@
|
||||
<meta charset="UTF-8">
|
||||
|
||||
<meta http-equiv="Content-Security-Policy"
|
||||
- content="default-src 'none'; script-src 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
|
||||
+ content="default-src 'none'; script-src 'sha256-IZkGO4jZeUn7pzM6pBZCZc9bUYm8oVNV3z8zEa8gxlk=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
|
||||
|
||||
<!-- Disable pinch zooming -->
|
||||
<meta name="viewport"
|
||||
@@ -331,6 +331,12 @@
|
||||
|
||||
const hostname = location.hostname;
|
||||
@ -93,7 +114,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWor
|
||||
default-src 'none';
|
||||
child-src 'self' data: blob:;
|
||||
- script-src 'self' 'unsafe-eval' 'sha256-/r7rqQ+yrxt57sxLuQ6AMYcy/lUpvAIzHjIJt/OeLWU=' https:;
|
||||
+ script-src 'self' 'unsafe-eval' 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' https:;
|
||||
+ script-src 'self' 'unsafe-eval' 'sha256-TkIM/TmudlFEe0ZRp0ptvN54LClwk30Rql4ZPE0hm/I=' https:;
|
||||
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
|
||||
</head>
|
||||
<body>
|
||||
|
Reference in New Issue
Block a user