OCram85/code-server
Archived
1
0
Fork 0
Code Pull Requests 2 Activity
This repository has been archived on 2024-09-09. You can view files and clone it, but cannot push or open issues or pull requests.
3335d0a456
code-server/patches/webview.diff
Asher 5ce99f8d1c
chore: update Code to 1.68 (#5263) 
* chore: update Code to 1.67

Was able to remove our changes to common/webview.ts since they are
upstream now.

Other than that no serious changes, just context diffs.

* chore: update Code to 1.68

- Upstream moved the web socket endpoint so change the Express route
  from / to *.  That will let web sockets work at any endpoint.
- Everything in the workbench config is basically the same but
  de-indented (upstream extracted it into a separate object which
  resulted in a de-indent), the ordering is slightly different, and
  instead of vscodeBase we now need vscodeBase + this._staticRoute since
  everything is served from a sub-path now.
- Move manifest link back to the root since that is where we host our
  manifest.
- Change RemoteAuthoritiesImpl to use the same path building method as
  in other places (+ instead of using URI.parse/join).
- Use existing host/port in RemoteAuthoritiesImpl and
  BrowserSocketFactory instead of patching them to use window.location
  (these are set from window.location to begin with so it should be the
  same result but with less patching).
- Since BrowserSocketFactory includes a sub-path now (endpoints were
  changed upstream to serve from /quality/commit instead of from the
  root) the patch there has changed to prepend the base to that
  path (instead of using the base directly).
- The workbench HTML now natively supports a base URL in the form of
  WORKBENCH_WEB_BASE_URL so no need for VS_BASE patches there anymore.
- Upstream added type="image/x-icon" so I did as well.
- Move the language patch to the end of the series so it is easier to
  eventually remove.
- Remove the existing NLS config in favor of one that supports
  extensions.
- Upstream deleted webview main.js and inlined it into the HTML so move
  that code (the parent origin check) into both those HTML files
  (index.html and index-no-csp.html).
- The remaining diff is from changes to the surrounding context or a
  line was changed slightly by upstream (for example renamed files or
  new arguments like to the remote authority resolver).

* fix: modify product.json before building

Code injects this into the client during the build process so it needs
to be updated before we build.

* fix: update inline script nonces

* Update HTML base path test

* fix: missing commit

Code overrides it with nothing.

The date is also already injected.

* fix: web extensions breaking when the commit changes

By just using the marketplace directly instead of going through the
backend.  I am not sure what the point is when searching extensions
already goes directly to the marketplace anyway.

But also remove the prefix that breaks this as well because otherwise
existing installations will break.
2022-06-21 21:51:46 +00:00

118 lines
5.7 KiB
Diff
Raw Blame History

Serve webviews from the same origin
Normally webviews are served from vscode-webview.net but we would rather them be
self-hosted.
When doing this CSP will block resources (for example when viewing images) so
add 'self' to the CSP to fix that.
Additionally the service worker defaults to handling *all* requests made to the
current host but when self-hosting the webview this will end up including the
webview HTML itself which means these requests will fail since the communication
channel between the webview and the main thread has not been set up yet as the
webview itself is not ready yet (it has no HTML and therefore no script either).
Since this code exists only for the authentication case we can just skip it when
it is served from the current host as authentication is not a problem if the
request is not cross-origin.
There is also an origin check we bypass (this seems to be related to how the
webview host is separate by default but we serve on the same host).
To test, open a few types of webviews (images, markdown, extension details, etc).
Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
+++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
@@ -183,7 +183,7 @@ export class BrowserWorkbenchEnvironment
@memoize
get webviewExternalEndpoint(): string {
- const endpoint = this.options.webviewEndpoint
+ const endpoint = (this.options.webviewEndpoint && new URL(this.options.webviewEndpoint, window.location.toString()).toString())
|| this.productService.webviewContentExternalBaseUrlTemplate
|| 'https://{{uuid}}.vscode-cdn.net/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/';
Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
@@ -298,6 +298,7 @@ export class WebClientServer {
const workbenchWebConfiguration = {
remoteAuthority,
+ webviewEndpoint: vscodeBase + this._staticRoute + '/out/vs/workbench/contrib/webview/browser/pre',
_wrapWebWorkerExtHostInIframe,
developmentOptions: { enableSmokeTestDriver: this._environmentService.args['enable-smoke-test-driver'] ? true : undefined },
settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy"
- content="default-src 'none'; script-src 'sha256-xgIcbQmGjpT42GEj54VFSNh6MI15PZ2D1+DdVehfYBI=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+ content="default-src 'none'; script-src 'sha256-aOCIU83V9nV+0ERJudbrKLqgIVOHqU71i4Lv5urjGTI=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
<!-- Disable pinch zooming -->
<meta name="viewport"
@@ -331,6 +331,12 @@
const hostname = location.hostname;
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
+ if (parent.hostname === hostname) {
+ return start(parentOrigin)
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
throw new Error(`Cannot validate in current context!`);
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index-no-csp.html
@@ -330,6 +330,12 @@
const hostname = location.hostname;
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
+ if (parent.hostname === hostname) {
+ return start(parentOrigin)
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
throw new Error(`Cannot validate in current context!`);
Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
+++ code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
@@ -4,7 +4,7 @@
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
child-src 'self' data: blob:;
- script-src 'self' 'unsafe-eval' 'sha256-fh3TwPMflhsEIpR8g1OYTIMVWhXTLcjQ9kh2tIpmv54=' https:;
+ script-src 'self' 'unsafe-eval' 'sha256-yHVIAbzODFRINjoLGID5qWPP45HzMtwhyVRC+7yiuXg=' https:;
connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
</head>
<body>
@@ -23,6 +23,13 @@
// validation not requested
return start();
}
+
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
+ if (parent.hostname === hostname) {
+ return start()
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
return sendError(new Error(`Cannot validate in current context!`));
View Git Blame Copy Permalink