Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Help webview extensions add a Content Security Policy #79340
Many webview extensions do not currently set a content security policy. All webviews (even very simple ones) should set a content security policy. This is not a immediate security problem but a content security policy helps to limit the potential impact of content injections and is generally a good measure for defense in depth.
I've put together this initial list of extensions that create webviews that seem not to have a content security policy (there may be false positives). If you are feeling like a security hero, consider helping these extensions out by submitting a PR that adds a restrictive content security policy to their webviews. Here's our documentation to help you get started.
Let me know if an extension has been fixed or was incorrectly flagged
We've just added a csp to the python extension, but we're still getting the warning? Does it have to be strict in order to not get the warning?
Here's our current CSP:
Is the declared CSP actually enforced?
We use a webview that relies upon inline CSS and base64-encoded images, and it loads correctly with a
Sure, it removes the warning. But I'm a bit worried that we'll have to push a bugfix release in a rush when our users start reporting that the webview is broken after an update to Code.