Relax <iframe>'s fetch CSP since it is not possible to know all ori…

…gins that extensions want to connect to
microsoft · Aug 4, 2020 · 7906d41 · 7906d41
1 parent 102590f
commit 7906d41
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/vs/workbench/services/extensions/browser/webWorkerExtensionHost.ts b/src/vs/workbench/services/extensions/browser/webWorkerExtensionHost.ts
@@ -102,7 +102,7 @@ export class WebWorkerExtensionHost extends Disposable implements IExtensionHost
 		const html = `<!DOCTYPE html>
 <html>
 	<head>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-eval' ${sourcesOrigin} https://*.gallerycdn.vsassets.io '${WEB_WORKER_IFRAME.sha}'; worker-src data:; connect-src ${sourcesOrigin} https://*.gallerycdn.vsassets.io" />
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-eval' ${sourcesOrigin} https://*.gallerycdn.vsassets.io '${WEB_WORKER_IFRAME.sha}'; worker-src data:; connect-src *" />
 		<meta id="vscode-worker-src" data-value="${escapeAttribute(workerSrc)}" />
 		<meta id="vscode-web-worker-ext-host-id" data-value="${escapeAttribute(vscodeWebWorkerExtHostId)}" />
 	</head>