[Bug]: security issue of jupyter notebook sharing in code-server

[code1704]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome
• Local OS: Mac
• Remote OS:
• Remote Architecture:
• code-server --version:

Steps to Reproduce

1. setup a code server, the domain is https://codeserver.com
2. create a jupyter notebook in code server
3. output js or html in jupyter notebook, which requests API/resource in same domain:

from IPython.display import HTML, display
display(HTML("<img src='https://codeserver.com/some.jpg'/> "))

5. run

Expected

the request to https://codeserver.com/some.jpg should be sandboxed, without cookie. this may bring security issue when we receive and open such notebook in code server.

Actual

the request to https://codeserver.com/some.jpg is not sandboxed and it sends with cookie

Logs

No response

Screenshot/Video

No response

Does this issue happen in VS Code or GitHub Codespaces?

• I cannot reproduce this in VS Code.
• I cannot reproduce this in GitHub Codespaces.

Are you accessing code-server over HTTPS?

• I am using HTTPS.

Notes

No response

[code-asher]

Thank you for the submission. Sorry it took so long to triage.

When I try this my image requests get blocked by 401s so it does not seem like the cookie is included. Maybe it was fixed in an update?

[code-asher]

Closing as stale but feel free to comment if you come back to this.