The default set of webview message handlers have an event called did-keydown:
|
this._register(this.on('did-keydown', (data) => { |
|
// Electron: workaround for https://github.com/electron/electron/issues/14258 |
|
// We have to detect keyboard events in the <webview> and dispatch them to our |
|
// keybinding service because these events do not bubble to the parent window anymore. |
|
this.handleKeyEvent('keydown', data); |
|
})); |
This is used to bring out keydown events from the webview frame so keybindings work when you're focused on the webview:
|
// Also forward events before the contents of the webview have loaded |
|
window.addEventListener('keydown', handleInnerKeydown); |
Unfortunately this can create a bit of a security issue. If there is XSS in a webview or it intentionally allows scripts, it can trigger a series of dangerous keydown events like:
"Terminal: New Terminal Window" Ctrl+Shift+Alt+` followed by changing focus F6 and then "Terminal: Paste Into Active Terminal" Ctrl+Shift+V.
I don't know what a good solution is in terms of balancing this issue with usability because it wouldn't be the best user-experience to just have shortcuts not work entirely when you're clicked on a webview.
The default set of webview message handlers have an event called
did-keydown:vscode/src/vs/workbench/contrib/webview/browser/webviewElement.ts
Lines 249 to 254 in e407438
This is used to bring out keydown events from the webview frame so keybindings work when you're focused on the webview:
vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
Lines 904 to 905 in f999450
Unfortunately this can create a bit of a security issue. If there is XSS in a webview or it intentionally allows scripts, it can trigger a series of dangerous keydown events like:
"Terminal: New Terminal Window" Ctrl+Shift+Alt+` followed by changing focus F6 and then "Terminal: Paste Into Active Terminal" Ctrl+Shift+V.
I don't know what a good solution is in terms of balancing this issue with usability because it wouldn't be the best user-experience to just have shortcuts not work entirely when you're clicked on a webview.