Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSP - use child-src, worker-src #79922

Closed
jrieken opened this issue Aug 27, 2019 · 3 comments
Closed

CSP - use child-src, worker-src #79922

jrieken opened this issue Aug 27, 2019 · 3 comments
Assignees
@jrieken @mjbvz
Labels
debt Code quality issues web Issues related to running VSCode in the web
Milestone
September 2019

Comments

@jrieken
Copy link
Member

jrieken commented Aug 27, 2019

We have a CSP that defines script-src. Chrome/Edge applies that to workers/iframes while Safari doesn't:

[Error] Refused to load http://localhost:9777/static/out/vs/base/worker/workerMain.js#editorWorkerService because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.

It looks like it wants the child-src directive which after looking at the spec seems actually correct. Tho, we should also try the worker-src directive
@jrieken
Copy link
Member Author

jrieken commented Aug 27, 2019

@mjbvz Any other insides given you have more CSP knowledge?

@jrieken jrieken added the web Issues related to running VSCode in the web label Aug 27, 2019
@mjbvz
Copy link
Collaborator

mjbvz commented Aug 27, 2019

For workers, try worker-src first. It is the most modern way of specifying a CSP for workers and Chrome will prefer it over child-src and script-src

We currently use frame-src for iframes which should be good (at one point it was supposed to be deprecated but I don't think this happened)

@jrieken jrieken added this to the September 2019 milestone Aug 28, 2019
@jrieken jrieken added the debt Code quality issues label Aug 28, 2019
@jrieken
Copy link
Member Author

jrieken commented Sep 2, 2019

Yeah, seems like [worker|frame]-src is the future. FF prints a warning when using child-src, safari prints a warning when using worker-src... 🤷‍♂ I will add both to make them all happy...

jrieken added a commit that referenced this issue Sep 2, 2019
@jrieken
add worker-src and child-src, #79922
5831974
@jrieken jrieken closed this as completed Sep 2, 2019
@anthonydresser anthonydresser mentioned this issue Sep 13, 2019
Merged
@vscodebot vscodebot bot locked and limited conversation to collaborators Oct 17, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jrieken jrieken

@mjbvz mjbvz

Labels
debt Code quality issues web Issues related to running VSCode in the web
Projects
None yet
Milestone
September 2019
Development

No branches or pull requests
2 participants
@jrieken @mjbvz