Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted html usage #22

Open
setalosas opened this issue Mar 28, 2021 · 4 comments
Open

Untrusted html usage #22

setalosas opened this issue Mar 28, 2021 · 4 comments

Comments

@setalosas
Copy link

Version: 1.55.0-insider (system setup)
Commit: d06d2f1d6245ce00b1c36a9cd81a9087d225173e
Date: 2021-03-26T14:01:14.867Z
Electron: 11.3.0
Chrome: 87.0.4280.141
Node.js: 12.18.3
V8: 8.7.220.31-electron.0
OS: Windows_NT x64 10.0.21296

I get the following error when I try to modify the HTML (just replacing an inline style tag (vscode-tokens-styles)):

[uncaught exception]: Error: UNTRUSTED html usage, default trusted types policy should NEVER be reached

I have a very simple script included with Monkey Patch:

"monkeyPatch.browserModules": [
	// Will load "~/custom-modules/browser1.js" in browser process
	"/13/custom/vsm/monkey-styling/styler"
],

This script only modifies that inline style, it does nothing else. No dependencies. It worked for quite a long time now with Monkey Patch, but recently I get the error message above.

It's possible that this is nothing to do with Monkey Patch, more of some policy changes in vscode, then I'm sorry for bringing it up. (I couldn't find out what are that trusted types yet, tried to Google it, but I just find very confusing, unclear descriptions.)

@knopp
Copy link
Collaborator

knopp commented Mar 29, 2021

Do you get same error if you add .js extension to your script?

@setalosas
Copy link
Author

No, it doesn't give any error because it's not running at all with the .js extension. You mean:

	"monkeyPatch.browserModules": [
		// Will load "~/custom-modules/browser1.js" in browser process
		"/13/custom/vsm/monkey-styling/styler.js"
	],

? If I change that line to styler.js, Monkey Patch won't tell me it would reload, like it didn't recognize it.

(BTW I could find a get-around: instead of rewriting the style tag's innerHTML, I just insert a new style node with the new rules (document.head.appendChild()). It works without errors.)

@setalosas
Copy link
Author

OMG, this sounds bad:

microsoft/vscode#103699

@disco0
Copy link
Contributor

disco0 commented Apr 3, 2021

OMG, this sounds bad:

microsoft/vscode#103699

Still not 100% on this, but looks like I'm having issues from this possibly—my style hot reloader script (placed a link element to the css file in head, similar to customize-ui) broke,
eventually fixed it by reading and writing the css into a style element instead. Waiting on making an issue until I know its not related to TrustedTypes, atm I'm guessing its the loading a css file from dotfiles path ¯\_(ツ)_/¯

Version:

Version: 1.56.0-insider
Commit: 550035808407c15252e581e8abe1b820b9d311ee
Date: 2021-04-02T05:13:17.592Z (1 day ago)
Electron: 11.4.1
Chrome: 87.0.4280.141
Node.js: 12.18.3
V8: 8.7.220.31-electron.0
OS: Darwin x64 18.7.0

Top of <head>

<head>
    <meta charset="utf-8">
    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self' https: data: blob: vscode-remote-resource:; media-src 'none'; frame-src 'self' vscode-webview:; object-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self' https: ws:; font-src 'self' https: vscode-remote-resource:;">
    <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script'; trusted-types default TrustedFunctionWorkaround ExtensionScripts amdLoader cellRendererEditorText defaultWorkerFactory diffEditorWidget domLineBreaksComputer editorViewLayer diffReview extensionHostWorker insane notebookOutputRenderer safeInnerHtml standaloneColorizer tokenizeToString webNestedWorkerExtensionHost webWorkerExtensionHost;">
    <link rel="stylesheet" type="text/css" data-name="vs/workbench/workbench.desktop.main" href="file:///Applications/Visual%20Studio%20Code%20-%20Insiders.app/Contents/Resources/app/out/vs/workbench/workbench.desktop.main.css"><link rel="stylesheet" type="text/css" href="file:///Users/<USER>/Library/Application Support/Code - Insiders/User/globalStorage/iocave.customize-ui/modules/customize-ui.css" media="all">
<!-- ...  -->

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants