Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help webview extensions add a Content Security Policy #79340

Open
mjbvz opened this issue Aug 16, 2019 · 7 comments

Comments

@mjbvz
Copy link
Contributor

commented Aug 16, 2019

Many webview extensions do not currently set a content security policy. All webviews (even very simple ones) should set a content security policy. This is not a immediate security problem but a content security policy helps to limit the potential impact of content injections and is generally a good measure for defense in depth.

I've put together this initial list of extensions that create webviews that seem not to have a content security policy (there may be false positives). If you are feeling like a security hero, consider helping these extensions out by submitting a PR that adds a restrictive content security policy to their webviews. Here's our documentation to help you get started.

Let me know if an extension has been fixed or was incorrectly flagged


Key

  • ❗️- Confirmed and issue opened
  • ✔️ - Fixed
  • - Can't confirm in current code in github master?
  • Blank - Unconfirmed

Extensions

  • ❗️ vscjava.vscode-java-pack - microsoft/vscode-java-pack#171
  • ❗️ Shan.code-settings-sync - shanalikhan/code-settings-sync#1010
  • ❗️ shengchen.vscode-leetcode - jdneo/vscode-leetcode#393
  • ✔️ tomoki1207.pdf - tomoki1207/vscode-pdfviewer#45
  • humao.rest-client
  • eamodio.gitlens
  • platformio.platformio-ide
  • ❗️ ms-python.python - microsoft/vscode-python#7007
  • James-Yu.latex-workshop
  • shd101wyy.markdown-preview-enhanced
  • ms-mssql.mssql
  • alefragnani.Bookmarks
  • auchenberg.vscode-browser-preview
  • streetsidesoftware.code-spell-checker
  • donjayamanne.githistory
  • anonimitoraf.handlebars-preview-with-function-support
  • ❗️ ms-kubernetes-tools.vscode-kubernetes-tools - Azure/vscode-kubernetes-tools#600
  • alefragnani.project-manager
  • almenon.arepl
  • johnstoncode.svn-scm
  • nkokhelox.svg-font-previewer
  • mtxr.sqltools
  • TOTVS.tds-vscode
  • nrwl.angular-console
  • jebbs.plantuml
  • Microsoft.vscode-nmake-tools
  • karigari.chat
  • GrapeCity.gc-excelviewer
  • nondanee.vsc-netease-music
  • tht13.html-preview-vscode
  • particle.particle-vscode-core
  • scalameta.metals
  • kdcro101.vscode-redis
  • jock.svg
  • formulahendry.ycy
  • ms-vscode.cpptools
  • attilabuti.vscode-mjml
  • AzBlockchain.azure-blockchain
  • ❗️ ms-edgedevtools.vscode-edge-devtools - microsoft/vscode-edge-devtools#91
  • ms-vsliveshare.vsliveshare
  • kruemelkatze.vscode-dashboard
  • vsciot-vscode.azure-iot-tools
  • JaimeOlivares.yuml
  • vsciot-vscode.vscode-arduino
  • alexcvzz.vscode-sqlite
  • Equinusocio.vsc-material-theme
  • bajdzis.vscode-database
  • pomber.git-file-history
  • alios.alios-studio
  • Arjun.swagger-viewer
  • Ionide.experimental-fsharp
  • EFanZh.graphviz-preview
  • ❗️ ms-ossdata.vscode-postgresql - microsoft/vscode-postgresql#56
  • dongli.python-preview
  • Acrolinx.vscode-sidebar
  • alefragnani.jenkins-status
  • axosoft.gitkraken-glo
  • jithurjacob.nbpreviewer
  • vsciot-vscode.azure-iot-toolkit
  • vsciot-vscode.vscode-iot-workbench
  • WASTeamAccount.WebTemplateStudio-dev-nightly
  • joaompinto.asciidoctor-vscode
  • ego-digital.vscode-powertools
  • Orta.vscode-jest
  • tht13.rst-vscode
  • amazonwebservices.aws-toolkit-vscode
  • ❗️ Ionide.Ionide-fsharp - ionide/ionide-vscode-fsharp#1199
  • yokawasa.jwt-debugger
  • janisdd.vscode-edit-csv
  • vitaliymaz.vscode-svg-previewer
  • mrkanister.idef1xer
  • Kelvin.vscode-sshfs

@mjbvz mjbvz added this to the August 2019 milestone Aug 16, 2019

@mjbvz mjbvz self-assigned this Aug 16, 2019

@ParkourKarthik

This comment has been minimized.

Copy link
Contributor

commented Aug 22, 2019

I'll pick this up. Will start with code settings sync extension.

@utsavm9

This comment has been minimized.

Copy link

commented Aug 30, 2019

I worked on vitaliymaz.vscode-svg-previewer. It did have a CSP, which was not the most restrictive so maybe it was a false positive or maybe not.

@utsavm9

This comment has been minimized.

Copy link

commented Aug 30, 2019

@mjbvz I believe janisdd.vscode-edit-csv is a false positive as CSP exists in the extension. Is it here because it has unsafe-inline for its scripts and style as that is not restrictive?

@rchiodo

This comment has been minimized.

Copy link

commented Sep 5, 2019

We've just added a csp to the python extension, but we're still getting the warning? Does it have to be strict in order to not get the warning?

Here's our current CSP:

<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'unsafe-eval' vscode-resource: data: https: http:;">

@TantumErgo

This comment has been minimized.

Copy link

commented Sep 5, 2019

What file or files is the CSP usually included in?

So if you click on any of the repos with confirmed and open issues and take a look at the project files, what files should usually contain a CSP? All HTML files?

@jblievremont

This comment has been minimized.

Copy link

commented Sep 12, 2019

Is the declared CSP actually enforced?

We use a webview that relies upon inline CSS and base64-encoded images, and it loads correctly with a default-src 'none'; CSP.

Sure, it removes the warning. But I'm a bit worried that we'll have to push a bugfix release in a rush when our users start reporting that the webview is broken after an update to Code.

@mjbvz

This comment has been minimized.

Copy link
Contributor Author

commented Sep 13, 2019

@jblievremont Can you share a link to an example extension

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.