Skip to content

Warn on webviews that do not have a content security policy set #79248

New issue
New issue
Closed
Closed
Warn on webviews that do not have a content security policy set#79248
Assignees
mjbvz
Labels
apibugIssue identified by VS Code Team member as probable bugverifiedVerification succeededwebviewWebview issues
Milestone
 
August 2019
@mjbvz

Description

@mjbvz
mjbvz
opened on Aug 15, 2019

Bug
Lots of webview extensions do not set a content security policy in their webview content. We want all webviews to have CSP as this can block many common security issues

Proposal
Log a warning if a webview is created that does not have a CSP. Potentially also add some telemetry on which extension are generating these webviews so we can eagerly open bugs against them

Metadata

Metadata

Assignees

Labels

apibugIssue identified by VS Code Team member as probable bugverifiedVerification succeededwebviewWebview issues

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions