Trusted Types policy usage #106396
Comments
|
fyi @annkamsk |
…l (api-only) trusted types factory if missing, microsoft/vscode#106396
…or TrustedTypesFactory et al, #106396
|
I have pushed a few changes that make sure we have a trusted types polyfill (comes view the AMD loader) and typings. Also, the loader has got an option to created trusted script urls. With that most TrustedScriptURL warning are gone. Line 36 in the snippet below is a sample of a loader config to enable trusted types (policies are insecure) vscode/src/vs/code/browser/workbench/workbench-dev.html Lines 32 to 49 in 133d95e |
* Add back hideHover and use on tree context menu show Fixes microsoft#106268 * Update distro * 💄 * explorer: Fix TrustedTypes violation microsoft#106285 * produce deb, rpm packages * Add loginShell (microsoft/vscode-remote-release#3593) * chore - tweak onDidAddNotebookDocument, onDidRemoveNotebookDocument event, use ResourceMap and fix confusion between models and editors * notebook update * pinned tabs - update setting enum name * Use innerText over innerHTML, microsoft#106285 * rename to IHostColorSchemeService * API proposal for tree item icon color Part of microsoft#103120 * chore - when target might be undefined use `target?.dispose()` over `dispose(target)` * deprecate onDidChangeCells * Reenable notebook smoke test microsoft#105330 * deprecate onDidChangeContent * Add numeric values support for terminal.integrated.fontWeight * unified onDidChangeContent * node-pty@0.10.0-beta17 Fixes microsoft#105957 * 💄 * debt - remove _unInitializedDocuments * remove `NotebookDocument#displayOrder` , fixes microsoft#106305 * no uninitialized documents. * chore - update references viewlet * debug: make serverReadyAction play nicely with js-debug Fixes microsoft#86035 Fixes microsoft/vscode-js-debug#440 * fix rpm * high contrast switching in browser * Fix occasional bad custom selectbox layout Fix microsoft#106302 * review comments * Bump vscode-ripgrep for ARM microsoft#6442 * Revert more specific class names for editor tokens Reverts microsoft#103485 Fixes microsoft#106261 I believe that microsoft#103485 broke cases where the markdown renderer creates tokenized strings that are used outside of an editor's dom node (such as in hovers or in webviews) The safest fix for now is to revert it. We can revist this and make the markdown renderer handle the tokenized output better next iteration * remove emit selections. * merge conflict resolve. * fix integration tests. * Disable errors in non-semantic supported files Fixes microsoft#106299 Fixes microsoft#106314 Also enables js/ts features on the right side of PRs and in search results * proper fix for microsoft#105202 (microsoft#106293) * Only enable 'open with' on files Fixes microsoft#106291 * Add WebviewView.description Allow configuring the description for webview views. This is rendered next to the title in a less prominently in the title * Remove manual strikethroughs for deprecated properties in vscode.d.ts Now that TS has support for `@deprecated`, these manual strike throughs should no longer be required. * Add show method to webview view Fixes microsoft#106085 * Skip failing test * fix microsoft#106283 * enable test * fix microsoft#106283 * pinnedTabSizing.standard => pinnedTabSizing.normal * install dot net core sdk * update distro * tabs - align icon and text vertically centered in tab * update distro * distro * fix microsoft#106308 * Update gitignore decorations when .git/info/exclude file is edited (microsoft#106270) * detect local `exclude` file edits * use `uri.path` to detect exclude file edits `uri.path` uses forward slash as a path separator indepentent of the host system, which makes it easier to use with regex * updated searches * editor - rename context keys variables * fix microsoft#105999 * pinned tabs - prevent to close pinned tabs via Cmd+W (microsoft#100738) * Reduce usage of `.innerHTML` (microsoft#106285) * fix uninstalling extension * remove unused import * add `replaceNotebookMetadata` (should become `replaceMetadata`) to NotebookEditorEdit, microsoft#105283 * add `replaceNotebookMetadata`, microsoft#105283 * use textContent instead of innerHTML (for microsoft#106285) * chore - move appyWorkspaceEdit from extHostTextEditors to (new) extHostBulkEdits and mainThreadBulkEdits * chore - extract extHostNotebookDocument for the NotebookDocument and NotebookCell types and friends * chore - extract ExtHostNotebookEditor into its own file * chore - remove ExtHostNotebookEditor#uri and use document.uri instead * chore - 💄 member order: property, ctor, method * publish arm deb and rpm * trusted types related to microsoft#106285 * use async await * distro * update trusted types search * trusted types - use textContent for style elements, fyi @rebornix * fix arch * Fix compile after merge * Use instantiation service to create TerminalLinks * Consolidate colon trim logic * Avoid slice when checking colon * Check length again I prefer chatAt over slice as it's more obvious what's happening * Move comment into helper function * Update extensions/git/src/commands.ts * Update extensions/git/src/commands.ts * Update extensions/git/src/commands.ts * Save prompt is shown while saving from settings split json editor (fix microsoft#106330) * Only allow configurePlugin against main TS Server Fixes microsoft#106346 Looks like the TS Server doesn't support this in partial mode at the moment * Adding more explicit typings for promises This gets us ready for TS 4.1 * Don't use async on abstract functions * chore - use workingCopyService.isDirty instead notebook.isDirty * Update Codicons - Update 'pinned' - Add 'export' - Compress 'merge' microsoft/vscode-codicons@5bcb1a0 * Add explicit undefined parameters / types These errors come from the new stricter types for Promises in TS 4.1 * debt - IMainNotebookController#removeNotebookDocument * debt - invoke resolve notebook when opening a notebook in an editor, not when loading a notebook from source * do not need isUntitled. * 💂 polish nb tests. * remove selections from nb text model. * replace changeCellLanguage to applyEdit * fix microsoft#105916. expand metadata section if modified. * move dirty state to NotebookEditorModel. * chore, simply notebook text model event emitter * refs microsoft#106285 * Add subscribers action * Fix terminal ts 4.1 compile issues Part of microsoft#106358 * Fix ts 4.1 issues in terminal api tests * Update Codicons: add 'graph-left' microsoft/vscode-codicons@dd1edb2 * initialize notebook text model data only through ctor. * 💄 * Mark property readonly * Enable webview commands for webview views Fixes microsoft#105670 Previously our webview commands assumed that webviews were always going to be in an editor. This is no longer true with webview views. To fix this, I've added an `activeWebview` to the `IWebviewService`. This tracks the currently focused webview. * microsoft#106358 * debug: bump js-debug-companion * re microsoft#105735. * re microsoft#105735. no more udpateMetadata api. * Fix microsoft#106303 * Use destructuring to make code more clear * Add isWritableFileSystem api Fixes microsoft#91697 This new API checks if a given scheme allows writing * Revert "Fix microsoft#106303" This reverts commit 8e5eed1. this is causing a layer check issue * Cache webview view title across reloads Fixes microsoft#105867 * fix some TS 4.1 errors (microsoft#106358) * fix some TS 4.1 errors (microsoft#106358) * fix TS 4.1 compile errors, microsoft#106358 * pinned tabs - flip default to "shrink" * fix ts errors related to microsoft#106358 * pinned tabs - closing pinned tab should open next non-pinned * pinned tabs - add a tab.lastPinnedBorder color * Adds commands for --no-verify commit variants (microsoft#106335) * add `{allow,confirm}NoVerifyCommit` options * adds commit comands with no verify * handles no verify command variants * handle no verify commit option * only display no verify variants when option is set * trusted types related to microsoft#106395 * more TS 4.1 fixes (microsoft#106358) * update trusted types search * Fix TS 4.1 errors for tasks and remote explorer Part of microsoft#106358 * Adress microsoft#106358: Fix TS 4.1 errors in codebase * debt - simplify metadata edit because we now have CellEditType.DocumentMetadata * Fix Trusted Types violations (round #2) microsoft#106395 * debug: return result of a msg to debug adapter can be undefined * add ExtHostFileSystemInfo which knows what schemes are reserved and which are used, microsoft#91697 * fixes microsoft#106334 * web - fix bad credentials lookup * Correct path to code-workspace.xml Fixes microsoft#106384 * Multi git executable paths (microsoft#85954) * Multi git executable path * update `git.path` setting description * 💄 Co-authored-by: João Moreno <joao.moreno@microsoft.com> * Correct linux code-workspace path * fixes microsoft#104047 * Add defaultUriScheme to path service (microsoft#106400) Fixes microsoft/vscode-internalbacklog#1179 * 💄 * Fix microsoft#106303 * Avoid innerHTML (microsoft#106395) * Avoid innerHTML (microsoft#106395) * debt - REMOTE_HOST_SCHEME => Schemas.vscodeRemote * fixes microsoft#106355 * pathService - defaultUriScheme() => defaultUriScheme * Adjust active terminal tab when active tab moves (microsoft#106413) Fixes microsoft#106300 * debt - adopt defaultUriScheme also for userHome * debt - adopt defaultUriScheme over hardcoded vscode-remote in toLocalResource * some integration tests for notebook editing, microsoft#105283 * refs microsoft#106358 * Bump yargs-parser in /extensions/markdown-language-features (microsoft#106373) Bumps [yargs-parser](https://github.com/yargs/yargs-parser) from 13.1.1 to 13.1.2. - [Release notes](https://github.com/yargs/yargs-parser/releases) - [Changelog](https://github.com/yargs/yargs-parser/blob/master/docs/CHANGELOG-full.md) - [Commits](https://github.com/yargs/yargs-parser/commits) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump yargs-parser in /extensions/css-language-features/server Bumps [yargs-parser](https://github.com/yargs/yargs-parser) from 13.1.1 to 13.1.2. - [Release notes](https://github.com/yargs/yargs-parser/releases) - [Changelog](https://github.com/yargs/yargs-parser/blob/master/docs/CHANGELOG-full.md) - [Commits](https://github.com/yargs/yargs-parser/commits) Signed-off-by: dependabot[bot] <support@github.com> * Remove arrays.findIndex For microsoft#103454 This should be a direct map to the `.findIndex` mathod * Use textContnet for style element For microsoft#106395 * use textcontent in menu css refs microsoft#106395 * Fix one innerHTML usage microsoft#106395 * Use `@example` tags in vscode.d.ts (microsoft#106352) `@example` is the standard way to document code examples. This also gets us syntax highlighting of code examples in hovers * - reload only local user configuration after initi - add perf mark up and logs * re microsoft#105735. batch apply edits. * notebook text model initialization does not increment version * private outputs slice and unknown change. * applyEdit supports begin/end selections. * replace insertCell with applyEdit. * do not copy execution related metadata * 💄 * fix build. * Document view.type contribution Fixes microsoft#105821 * Improve views contribution point - add required properties - add default snippet - use `markdownDescription` for markdown string * Replace our arrays.find with stdlib find For microsoft#103454 * Pin blob storage dep see Azure/azure-sdk-for-js#11187 * unit tests for batched edits. * remove spliceNotebook api from textmodel. * update exploration branch * Fix some trusted type violations, microsoft#106395 * fix fonts in monaco menu * update distro * some jsdoc for microsoft#54938 * try to fix build (linux) * electron - set spellcheck: false again for windows * update search file, microsoft#106395 * 🆙 web playground * Trusted types - don't use innerHTML for rapid render, microsoft#106395 * Remove Schemas.vscodeRemote from simple file dialog * debt - remove some any casts from window * update distro * fix linux build * argh * proxy authentication does not work on 1.49 (microsoft#106434) * do not use hasClass and first microsoft#103454 * debug and explroer: do not use dom.addClass, dom.toggleClass * do not use deprecated dom helper methods microsoft#103454 * adopt new amd loader with support for TrustedScriptURL, add typings for TrustedTypesFactory et al, microsoft#106396 * explorer: Should maintain row focus after deleting a file fixes microsoft#71315 * Update Codicons: add 'magnet' icon microsoft/vscode-codicons@4c61155 * Remove unused 'SettingSearch' issue type * notebook document data loss. * cell language should not be freezed. * Add preferred_username to the list of msft token claims (microsoft#106511) * debug: update js-debug * fix microsoft#106430. * hide outputs if it is transient. * Add optional typing for webview state in WebviewPanelSerializer This makes it easier for extensions to correctly type their state if they wish * Add comment to WebviewViewResolveContext * use optional chaining * Use `Set` instead of array Sets should offer faster checking to see if a property has been seen * Create webview.web.contribution Fixes microsoft#106516 Creates an explicit contribution file for web. This makes sure we only don't register the `IWebviewService` twice. Not 100% sure this fixes the issue since I couldn't repo the original bug with our oss builds * Revert "API proposal for tree item icon color" This reverts commit 52e557f. * Skip formatting when during format-on-save, the configured formatter cannot be found (continue to show silent notification), microsoft#106376 * don't use renderCodicons any more, microsoft#105799 * remove old renderCodicons-function, rename renderCodiconsAsElement to renderCodicons * NotebookEditorEdit-api changes, microsoft#105283 * WorkspaceEdit-api changes, microsoft#105283 * adopt notebook integration tests, microsoft#105283 * add NotebookCell#index, microsoft#106637 * fix delay issue for provideCodeLenses, microsoft#106267 * rename RunOnceScheduler#timeout to delay * use debian stretch images (microsoft#106656) * remove deprecated function calls related to microsoft#103454 * workaround, maybe fix for microsoft#106657 * update search files * debt - make class list utils functions so that @deprecated works for them * fixes microsoft#106406 * notebook - when creating a notebook, check that no notebook with another viewtype exists * fix bad classList usage * add regression test for microsoft#106657 * fixes microsoft#86180 * fixes microsoft#100172 Co-authored-by: Alex Ross <alros@microsoft.com> Co-authored-by: Daniel Imms <daimms@microsoft.com> Co-authored-by: João Moreno <joao.moreno@microsoft.com> Co-authored-by: isidor <inikolic@microsoft.com> Co-authored-by: Christof Marti <chrmarti@microsoft.com> Co-authored-by: Johannes Rieken <johannes.rieken@gmail.com> Co-authored-by: Benjamin Pasero <benjpas@microsoft.com> Co-authored-by: Martin Aeschlimann <martinae@microsoft.com> Co-authored-by: rebornix <penn.lv@gmail.com> Co-authored-by: Rob Lourens <roblourens@gmail.com> Co-authored-by: IllusionMH <illusionmh@gmail.com> Co-authored-by: Daniel Imms <tyriar@tyriar.com> Co-authored-by: Connor Peet <connor@peet.io> Co-authored-by: Matt Bierner <matb@microsoft.com> Co-authored-by: Jean Pierre <jeanp413@hotmail.com> Co-authored-by: Peng Lyu <penlv@microsoft.com> Co-authored-by: Sandeep Somavarapu <sasomava@microsoft.com> Co-authored-by: Vyacheslav Pukhanov <vyacheslav.pukhanov@gmail.com> Co-authored-by: Alex Dima <alexdima@microsoft.com> Co-authored-by: João Moreno <mail@joaomoreno.com> Co-authored-by: Miguel Solorio <miguel.solorio@microsoft.com> Co-authored-by: SteVen Batten <steven.m.batten@outlook.com> Co-authored-by: Jackson Kearl <jakearl@microsoft.com> Co-authored-by: Rachel Macfarlane <ramacfar@microsoft.com> Co-authored-by: Dirk Baeumer <dirkb@microsoft.com> Co-authored-by: WhizSid <whizsid@aol.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: deepak1556 <hop2deep@gmail.com> Co-authored-by: Oleg Demchenko <oldemche@microsoft.com>
|
Hi, I am currently working on a few enhancements in tsec, specifically on the following things
If you feel this deserves a separate issue to discuss this on, we can create one and move the discussion there. |
I didn't expect them to exist already ;-) Also, I have only added a very minimal api-only polyfill so I didn't spec more of the trusted types API. Also wondering how to do it properly when assigning e.g.
Yeah, the Not sure if I can image a tailored VS Code fixer - violations I have seen so far all very different. There might some low-hanging fixers for cases when the empty string is assigned. A common violation was the population of style-tags via innerHTML - we have replaced those with textContent which would be a candidate for automation.
Very excited about that! |
One thing to note is that with this current setup, it might be easy to degrade security in the future without realizing, due to the fact that the validation function far away from the actual policy creation, so changes in the former might not look suspicious to a reviewer, but are actually security relevant. We are currently working on open sourcing our set of Trusted Types builders, but our general approach is to try to fully encapsulate the policy behaviour so that consumers of the builders cannot change the security property of the resulting types. One of the tricks that we use to ensure that a value is safe is by using template literals to separate what comes from the program's source vs what is dynamic. (when it comes from the program source, there is no risk for it to be user controlled). This might work in this case since all your paths seem to be in the program's source. So you could define a function like follows: // This remains private, all security considerations stay in this file.
const policy = trustedTypes.createPolicy('amdLoader', {createScriptURL: (value: string) => value});
export function scriptURL(templateObj: TemplateStringsArray): TrustedScriptURL {
if (!templateObj.length === 1) { throw "Cannot interpolate in script urls"; }
if (!templateObj[0].startsWith('/')) { throw "Only absolute paths are allowed in script urls"; }
return policy.createScriptURL(`${window.location.origin}${templateObj[0]}`);
}And then use it anywhere you want like follows: <script>
self.require = {
baseUrl: scriptURL`/static/out`,
recordStats: true,
paths: {
'vscode-textmate': scriptURL`/static/remote/web/node_modules/vscode-textmate/release/main`,
'vscode-oniguruma': scriptURL`/static/remote/web/node_modules/vscode-oniguruma/release/main`,
...
}
};
</script> |
Unfortunately, there is no support for this in TS due to this issue. Also, you approach ( This pattern might be tedious so you might want to use unwrapper function to unwrap the trusted value: |
|
@jrieken Can you provide more info about the failure? I tried cloning vs code repo and tsec works for me without problems. There weren't any suspicious changes in the repo recently which could cause such breakage. |
|
This is confusing... I was getting this error even after a refresh install. Now it seems to be working 😕 |
|
|
When the error occurs, are you inside a Chrome devtools debugging session? This might be https://bugs.chromium.org/p/chromium/issues/detail?id=1131368. |
|
Yeah. @joaomoreno saw this when running/debugging VS Code from within VS Code |
|
Then it's very likely that bug (sorry!), it should not manifest itself during regular execution, only when the e.g. one is inside a breakpoint. By now we have a good idea on how to fix this. |
|
Closing this as trusted types policy usage just happens. Currently, most policies aren't doing real checks and once we have sink usages covered we should look at policies in detail |
The editor view layer uses innerHTML for performance reasons and we aren't ready to rework that (see #106285 (comment)) This is a use-case of a custom policy, e.g one which doesn't escape things. There might be other, still unknown, places where policies are required, e.g when rendering markdown. This is the item to track such policy usages.
The text was updated successfully, but these errors were encountered: