Webview does not set a content security policy #1010
Labels
Milestone
Comments
|
Picking this issue |
ParkourKarthik
added a commit
to ParkourKarthik/code-settings-sync
that referenced
this issue
Aug 25, 2019
2 tasks
shanalikhan
pushed a commit
that referenced
this issue
Sep 12, 2019
General: HTML code is passed on lines 31-56. This code was without a CSP, leaving it vulnerable. A strict CSP was added on lines 35-38. Notes: 1. VS Code documentation, as well as other recommendations on CSP's, use default-src 'none'. However, after reviewing the CSP's added in Pull Request '#'1020, I followed the convention of default-src vscode-resource. Make sure this is the level of security wanted, rather than the more secure 'none'. 2. form-action and frame-ancestors are included because these two directives do not automatically use the default-src permission of the CSP and must be explicitly set. 3. img-src includes https: as recommended by VS Code documentation for CSP's. I also included vscode-resource, but I did not include data: because I don't understand why it's used in Pull Request '#'1020. If you would like me to include data: let me know, and I will add it to the CSP. 4. script-src and style-src have 'self' included, but if this is redundant after specifying vscode-resource, let me know and I will remove the 'self' value. By including 'self' it whitelists all scripts and styles originating from the URL of the project website. 5. script-src and style-src also have 'unsafe-inline' included, as they were included in the CSP's in Pull Request '#'1020, but it is recommended that SHA-256 be used when possible instead. script-src can use a SHA-256 hash of scripts, but I'm not sure if style-src can as well. Regardless, I continued using 'unsafe-inline' to match the other CSP's in the project, and because I didn't want to break any of the project's current functions by using too strict of a CSP.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I'm the developer of VS Code's webview API. I noticed that your extension seems to create a webview that does not set a content security policy. All webviews (even very simple ones) should set a content security policy. This helps limit the potential impact of content injections and is generally a good measure for defense in depth.
We've documented how to add a content security policy to VS Code webviews here. Please add the most restrictive content security policy possible to your webview. I am not aware of any immediate security issues with your extension but having a restrictive content security policy is important to help protect users of your extension.
Also note that in development mode, in VS Code 1.38 you should also see a warning if you create a webview that does not set a content security policy: microsoft/vscode#79248
The text was updated successfully, but these errors were encountered: