Extending the Markdown Preview with additional scripts while complying with CSP #1203
-
Hi there, I'm currently building an extension that is converting markdown code blocks into executable scripts. The plugin works so far as it extends markdown-it to generate script-tags out of code blocks, but fails to execute them due to CSP restrictions. Consider this code where I define the rule for rendering the script tag. The token stream conversion has already taken place and works fine. md.renderer.rules[blockName] = function (
tokens: MarkdownIt.Token[],
idx: number,
options: any,
env: any,
self: any
): string {
const token = tokens[idx];
return `<script nonce="NONCE_GOES_HERE">${md.utils.escapeHtml(token.content)}</script>`;
}; My idea was that, while generating the script, I can inject the nonce as an attribute to mark the script as safe. But even after reading through the API reference, asking ChatGPT, going through discussions around here, and trying things out, I cannot figure out how to retrieve it. Does anybody have an idea how I can get a hold of the nonces that the markdown preview generates while rendering the markdown into the preview? Are there any alternative approaches that might work? I would really like to stick with the original markdown preview since I want my extension to interop with other markdown extensions, so creating a new webview is not feasible (unless there is a way to easily mimic the original markdown preview). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
If the original markdown preview you are talking about is the built-in markdown viewer of VS Code, you can make the viewer permissive, or less secure. See:
There is no way to obtain the nonce of the viewer. |
Beta Was this translation helpful? Give feedback.
If the original markdown preview you are talking about is the built-in markdown viewer of VS Code, you can make the viewer permissive, or less secure. See:
There is no way to obtain the nonce of the viewer.