Webview does not set a content security policy

[mjbvz]

Hi, I'm the developer of VS Code's webview API. I noticed that your extension seems to create a webview that does not set a content security policy. All webviews (even very simple ones) should set a content security policy. This helps limit the potential impact of content injections and is generally a good measure for defense in depth.

We've documented how to add a content security policy to VS Code webviews here. Please add the most restrictive content security policy possible to your webview. I am not aware of any immediate security issues with your extension but having a restrictive content security policy is important to help protect users of your extension.

---

Also note that in development mode, in VS Code 1.38 you should also see a warning if you create a webview that does not set a content security policy: microsoft/vscode#79248

[jdneo]

Reopen it since we can have better way to fix this issue.

[TantumErgo]

@jdneo Do you have details on the bug that needs fixing?

[jdneo]

Hi @TantumErgo,

We now have three kinds of pages using webview to render: https://github.com/jdneo/vscode-leetcode/tree/master/src/webview.(Those named with xxxProvider) So far, we have the CSP meta-data, but it's not good enough since they all have content="default-src 'none';.

To better fix it, we can introduce the nonce attribute. One example is here: https://github.com/microsoft/vscode-extension-samples/blob/master/webview-sample/src/extension.ts#L184

Would you mind to take a look and make a contribution for this?