Fresh copy of code-server 4.98.2 fills the log with Content Security Policy error on Chrome

[fabgilson]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome 134.0.6998.166 arm
• Local OS: Mac OS Sequoia 15.3.2 (24D81)
• Remote OS: Ubuntu 22.04.5
• Remote Architecture: amd64
• code-server --version: 4.98.2 e2c489d with Code 1.98.2

Steps to Reproduce

1. Download the deb from github and install a fresh copy, following the steps described here: https://coder.com/docs/code-server/install#debian-ubuntu (deb, dpkg)
2. Create a service entry for a dedicated user (not sudoer)
3. Start service
4. Set-up nginx reverse proxy (config below)
5. Log into code-server
6. Open the "Output" tab, and select "window" from the dropdown (see below)

Nginx config:

location /code-server/ {
                proxy_pass http://localhost:9000/;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection upgrade;
                proxy_set_header Accept-Encoding gzip;
        }
[certbot ssl config not reproduced]

Expected

Not having the log filled in by error messages.
Seems to work on Firefox, with the logs not filling up.

Actual

Logs in output-window keeps getting filled with the same error:

2025-03-27 20:40:42.365 [error] [Window] Failed to construct 'Worker': Access to the script at 'blob:https://SERVERNAME/7c4b764f-20dd-4be6-803c-73dd75b171ff' is denied by the document's Content Security Policy.: SecurityError: Failed to construct 'Worker': Access to the script at 'blob:https://SERVERNAME/7c4b764f-20dd-4be6-803c-73dd75b171ff' is denied by the document's Content Security Policy.
    at nls (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:13907)
    at new lls (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:15332)
    at Iwi.create (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:16079)
    at new ils (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:11441)
    at Z6 (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:16240)
    at new ant (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9618)
    at ont.r (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9357)
    at ont.s (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9411)
    at Object.provideLinks (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9227)
    at https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:479:18336

Logs

see attached trace.log (in notes).


code-server --verbose > trace.log
[21:07:04] [127.0.0.1][024d80ed][ExtensionHostConnection] Unknown reconnection token (never seen).
[21:07:04] [127.0.0.1][400d0ec0][ManagementConnection] Unknown reconnection token (never seen).
File not found: /usr/lib/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
File not found: /usr/lib/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js

Screenshot/Video

Does this bug reproduce in native VS Code?

No, this works as expected in native VS Code

Does this bug reproduce in GitHub Codespaces?

I did not test GitHub Codespaces

Are you accessing code-server over a secure context?

• I am using a secure context.

Notes

[fabgilson]

trace.log

[code-asher]

Thank you for the logs! Is your server adding any content security policies or is code-server embedded on a page with content security policies?

One weird thing that stands out to me is that it seems to be trying to load domain.tld/hash rather than domain.tld/code-server/hash, I wonder if we are not handling the sub-path correctly somewhere. I am not seeing the same error despite also using a sub-path, but my Chrome version is older (131) so this could be new.

[fabgilson]

Hello @code-asher. Thanks for your quick reply. I dug into the other nginx.conffiles (I don't have full control on the VM). I found the config that is causing the issue:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; script-src-elem *  'unsafe-inline' ; font-src 'self' *; style-src * 'unsafe-inline'; img-src 'self' data: *;";

The content-security-policy makes the subpath rejecting the file. Is the handling of subpath under your control, or mine?

I can't get rid of that line, cybersecurity policy here. I'll talk to my IT team to see if I can make it more flexible for the code-server instance though.

Thanks!

[code-asher]

That sub-path should be under our control. We do some patching to automatically add the sub-path to various parts of VS Code, and we must have missed this one.

Edit: although, it could also be a miss on VS Code's side. More investigation needed.

[fabgilson]

Cool, thanks for confirming.