Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[code] serve each webview from own origin #4529

Closed
akosyakov opened this issue Jun 17, 2021 · 0 comments · Fixed by #4738
Closed

[code] serve each webview from own origin #4529

akosyakov opened this issue Jun 17, 2021 · 0 comments · Fixed by #4738
Assignees
@akosyakov
Labels
component: ws-proxy editor: code (browser) groundwork: awaiting deployment

Comments

@akosyakov
Copy link
Member

Right now we serve all webviews from the same origin which:

  • is not most secure, webviews from different extensions should not share data between each other
  • not functionally correct - each webivew expect to have own browser storage partition
  • requires tweak in VS Code Web to make it work reliably

Before we tried to serve webview from own origin by producing subdomains like {webview-uuid}-webview-{workspace-id}, but such attempts were unsuccessful since DNS label is limited to 67 chars.

Instead we can try to produce URLs like webview-{webview-uuid}.eu-09.gitpod.io/{workspace-id}. It will give each webview an unique origin and allow ws-proxy to redirect requests to a proper workspace to load common webview bootstrap code.

After it is done we should revert in VS Code Web: https://github.com/gitpod-io/vscode/blob/eae95e2b37ad034edbe411d783b2980f20ed0688/src/vs/workbench/contrib/webview/browser/pre/main.js#L26-L28

Important: we cannot deprecate old webview route till Theia is removed and all workspaces using VS Code relying on it are stopped.
@akosyakov akosyakov self-assigned this Jun 17, 2021
akosyakov added a commit that referenced this issue Jul 8, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
913ffc9 
decoupled from workpace origin (also extension host origin)
@akosyakov akosyakov mentioned this issue Jul 8, 2021
Merged
akosyakov added a commit that referenced this issue Jul 8, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
c8b3074 
decoupled from workpace origin (also extension host origin)
akosyakov added a commit that referenced this issue Jul 13, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
ae57f7d 
decoupled from workpace origin (also extension host origin)
akosyakov added a commit that referenced this issue Jul 14, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
dbf674c 
decoupled from workpace origin (also extension host origin)
akosyakov added a commit that referenced this issue Jul 15, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
f9006f3 
decoupled from workpace origin (also extension host origin)
akosyakov added a commit that referenced this issue Jul 16, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
74e60f0 
decoupled from workpace origin (also extension host origin)
akosyakov added a commit that referenced this issue Jul 16, 2021
@akosyakov
[code] fix #4529: serve each webview from own origin
ed076d7 
decoupled from workpace origin (also extension host origin)
MatthewFagan pushed a commit to trilogy-group/gitpod that referenced this issue Dec 15, 2021
[code] fix gitpod-io#4529: serve each webview from own origin
a0c7f26 
decoupled from workpace origin (also extension host origin)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akosyakov akosyakov

Labels
component: ws-proxy editor: code (browser) groundwork: awaiting deployment
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[code] serve each webview from own origin gitpod-io/gitpod
2 participants
@akosyakov @csweichel