Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated Content Security Policy to be more strict #306

Open
wants to merge 1 commit into
base: master
from

Conversation

@zzeebbii
Copy link

@zzeebbii zzeebbii commented Feb 6, 2020

This PR fixes #171. As no resources are being used by the extension right now, so default source can be none. Later if the extension needs some image, script or style then the policy can be updated.

- No script, image or styles are being loaded right now, so it can be
  set to none. Later it can be updated if required.
@msftclas
Copy link

@msftclas msftclas commented Feb 6, 2020

CLA assistant check
All CLA requirements met.

@akaroml akaroml requested a review from jdneo Feb 14, 2020
@akaroml
Copy link
Member

@akaroml akaroml commented Feb 14, 2020

@jdneo please help take a look.

Copy link
Member

@jdneo jdneo left a comment

I'm afraid this won't work. If you open the Getting Started page, you will get an warning like following:

[Embedded Page] Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-JFinOq+GM9ozZBqjltSr0PP7/fN3NmpyjSvRGddk43k='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Maybe a better way to fix this issue is to use the nonce mechanism: https://github.com/microsoft/vscode-extension-samples/blob/master/webview-sample/src/extension.ts#L194-L207

@zzeebbii
Copy link
Author

@zzeebbii zzeebbii commented Feb 16, 2020

I will continue working on this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

4 participants