Skip to content

add content security policy#7181

Merged
IanMatthewHuff merged 1 commit intomicrosoft:masterfrom
IanMatthewHuff:dev/ianhu/webviewSecurity
Sep 3, 2019
Merged

add content security policy#7181
IanMatthewHuff merged 1 commit intomicrosoft:masterfrom
IanMatthewHuff:dev/ianhu/webviewSecurity

Conversation

@IanMatthewHuff
Copy link
Copy Markdown
Member

@IanMatthewHuff IanMatthewHuff commented Sep 3, 2019

For #7007

  • Pull request represents a single change (i.e. not fixing disparate/unrelated things in a single PR)
  • Title summarizes what is changing
  • Has a news entry file (remember to thank yourself!)
  • Appropriate comments and documentation strings in the code
  • Has sufficient logging.
  • Has telemetry for enhancements.
  • Unit tests & system/integration tests are added/updated
  • Test plan is updated as appropriate
  • package-lock.json has been regenerated by running npm install (if dependencies have changed)
  • The wiki is updated with any design decisions/details.

IanMatthewHuff
IanMatthewHuff commented Sep 3, 2019
View reviewed changes
Comment thread src/client/common/application/webPanel.ts
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'unsafe-eval' vscode-resource: data: https: http:;">
Copy link
Copy Markdown
Member Author

@IanMatthewHuff IanMatthewHuff Sep 3, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relevant docs:
https://code.visualstudio.com/api/extension-guides/webview#content-security-policy
https://developers.google.com/web/fundamentals/security/csp/

Right now this CSP is very lenient. While it might be good to revisit this, everything currently specified in here is required for our window to work, with one possible exception. That exception is the http: allowance. For example if you do something like Bokeh you'll get warnings if you don't allow https so that it can hit scripts from https://cdn.pydata.org/bokeh. I don't know for sure that http: is required, but given that packages can hit just about anything to load scripts it seems unsafe to disallow http:. While this CSP is lenient I believe that is in step with the overall jupyter ecosystem.

@codecov-io
Copy link
Copy Markdown

codecov-io commented Sep 3, 2019
edited
Loading

Codecov Report

Merging #7181 into master will decrease coverage by 0.05%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7181      +/-   ##
==========================================
- Coverage    58.5%   58.44%   -0.06%     
==========================================
  Files         485      485              
  Lines       21446    21446              
  Branches     3462     3462              
==========================================
- Hits        12546    12535      -11     
- Misses       8122     8135      +13     
+ Partials      778      776       -2
Impacted Files Coverage Δ
src/client/common/application/webPanel.ts 17.39% <ø> (ø) ⬆️
src/client/common/logger.ts 68.55% <0%> (-6.92%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 83185a6...0b510b0. Read the comment docs.

@IanMatthewHuff IanMatthewHuff merged commit 8f5861e into microsoft:master Sep 3, 2019
@IanMatthewHuff IanMatthewHuff deleted the dev/ianhu/webviewSecurity branch September 3, 2019 21:35
@lock lock Bot locked as resolved and limited conversation to collaborators Sep 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rchiodo rchiodo rchiodo approved these changes

@DavidKutu DavidKutu Awaiting requested review from DavidKutu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IanMatthewHuff @codecov-io @rchiodo