Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Content Security Policy to be more strict #306

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Updated Content Security Policy to be more strict #306

wants to merge 1 commit into from

Conversation

zzeebbii
Copy link

@zzeebbii zzeebbii commented Feb 6, 2020

This PR fixes #171. As no resources are being used by the extension right now, so default source can be none. Later if the extension needs some image, script or style then the policy can be updated.

@zzeebbii
Updated Content Security Policy to be more strict
d91e0f0 
- No script, image or styles are being loaded right now, so it can be
  set to none. Later it can be updated if required.
@msftclas
Copy link

msftclas commented Feb 6, 2020
edited
Loading

CLA assistant check
All CLA requirements met.

@akaroml akaroml requested a review from jdneo February 14, 2020 13:32
@akaroml
Copy link
Member

akaroml commented Feb 14, 2020

@jdneo please help take a look.

jdneo
jdneo requested changes Feb 16, 2020
View reviewed changes
Copy link
Member

@jdneo jdneo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid this won't work. If you open the Getting Started page, you will get an warning like following:

[Embedded Page] Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-JFinOq+GM9ozZBqjltSr0PP7/fN3NmpyjSvRGddk43k='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Maybe a better way to fix this issue is to use the nonce mechanism: https://github.com/microsoft/vscode-extension-samples/blob/master/webview-sample/src/extension.ts#L194-L207

@zzeebbii
Copy link
Author

I will continue working on this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdneo jdneo jdneo requested changes

@818Nawaf 818Nawaf 818Nawaf approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Webview does not set a content security policy
5 participants
@zzeebbii @msftclas @akaroml @jdneo @818Nawaf