code-server/patches/webview.diff
Joe Previte 7027ec7d60
chore: upgrade Code to 1.66 (#5135)
* chore: upgrade Code to 1.66

* docs: update docs for Code upgrades

* fixup!: docs

* chore: update vscode submodule

* chore: update integration patch

* chore: update node-version patch

* chore: update github-auth patch

They completely changed how auth is handled for GitHub in
https://github.com/microsoft/vscode/pull/145424 so our patch may not
work. Will need to test and revisit.

* refactor: remove postinstall patch

It appears they renamed postinstall.js to postinstall.mjs and removed
the use of `rimraf` which means our patch is no longer needed! 🎉

b0e8554cce

* chore: refresh local-storage patch

* chore: refresh service-worker patch

* chore: bulk refresh patches

* fixup!: docs formatting

* refactor: remove unused last-opened patch

* fixup!: formatting docs

* fixup!: formatting docs

* refactor: remove rsync postinstall

* Revert "refactor: remove rsync postinstall"

This reverts commit 8d6b613e9d.

* refactor: update postinstall.js to .mjs

* feat(patches): add parent-origin bypass

* docs(patches): add notes for testing store-socket

* docs(patches): update testing info for node-version

* refactor(patches): delete github-auth.diff patch

* docs(patches): add notes for testing connection-type

* fixup!: delete github-auth patch

* fixup!: update connection type testing

* docs(patches): add notes to insecure-notification.diff

* docs(patches): add nots for update-check.diff

* fixup!: remove comma in integration patch

* fix(e2e): disable workspace trust

* refactor: add --no-default-rc for yarn install

* feat(patches): remove yarnrc in presinstall

* fixup!: silly mistake

* docs: add note about KEEP_MODULES=1

* docs(patches): add testing notes for node-version

* refactor(patches): remove node-version

It appears this is no longer needed due to the `remote/package.json` now which
targets node rather than electron.

* fixup!: add cd ../.. to code upgrade instructions

* fixup!: add note to yarn --production flag

* fixup!: make parent-origin easier to upstream

* Revert "refactor(patches): delete github-auth.diff patch"

This reverts commit 31a354a343.

* Revert "fixup!: delete github-auth patch"

This reverts commit bdeb5212e8.

* Merge webview origin patch into webview patch

* Remove unused post-install patch

* Prevent builtin extensions from updating

* Refresh sourcemaps patch

* Update Node to v16

This matches the version in ./lib/vscode/remote/.yarnrc.

I changed the engine to exactly 16 since if you use any different
version it will just not work since the modules will have been built for
16 (due to the .yarnrc).

* Replace fs.rmdir with fs.rm

Node is showing a deprecation warning about it.

* Update github-auth patch

The local credentials provider is no longer used when there is a remote
so this code moved into the backend web credential provider.

* Prevent fs.rm from erroring about non-existent files

We were using fs.rmdir which presumably did not have the same behavior
in v14 (in v16 fs.rmdir also errors).

* Install Python 3 in CentOS CI container

Co-authored-by: Asher <ash@coder.com>
2022-05-04 21:58:49 +00:00

97 lines
5.1 KiB
Diff

Serve webviews from the same origin
Normally webviews are served from vscode-webview.net but we would rather them be
self-hosted.
When doing this CSP will block resources (for example when viewing images) so
add 'self' to the CSP to fix that.
Additionally the service worker defaults to handling *all* requests made to the
current host but when self-hosting the webview this will end up including the
webview HTML itself which means these requests will fail since the communication
channel between the webview and the main thread has not been set up yet as the
webview itself is not ready yet (it has no HTML and therefore no script either).
Since this code exists only for the authentication case we can just skip it when
it is served from the current host as authentication is not a problem if the
request is not cross-origin.
There is also an origin check we bypass (this seems to be related to how the
webview host is separate by default but we serve on the same host).
To test, open a few types of webviews (images, markdown, extension details, etc).
Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
+++ code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
@@ -179,7 +179,7 @@ export class BrowserWorkbenchEnvironment
@memoize
get webviewExternalEndpoint(): string {
- const endpoint = this.options.webviewEndpoint
+ const endpoint = (this.options.webviewEndpoint && new URL(this.options.webviewEndpoint, window.location.toString()).toString())
|| this.productService.webviewContentExternalBaseUrlTemplate
|| 'https://{{uuid}}.vscode-webview.net/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/';
Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
+++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
@@ -283,6 +283,7 @@ export class WebClientServer {
const data = (await util.promisify(fs.readFile)(filePath)).toString()
.replace('{{WORKBENCH_WEB_CONFIGURATION}}', escapeAttribute(JSON.stringify({
remoteAuthority,
+ webviewEndpoint: vscodeBase + '/static/out/vs/workbench/contrib/webview/browser/pre',
_wrapWebWorkerExtHostInIframe,
developmentOptions: { enableSmokeTestDriver: this._environmentService.driverHandle === 'web' ? true : undefined },
settingsSyncOptions: !this._environmentService.isBuilt && this._environmentService.args['enable-sync'] ? { enabled: true } : undefined,
Index: code-server/lib/vscode/src/vs/workbench/common/webview.ts
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/common/webview.ts
+++ code-server/lib/vscode/src/vs/workbench/common/webview.ts
@@ -22,7 +22,7 @@ export const webviewResourceBaseHost = '
export const webviewRootResourceAuthority = `vscode-resource.${webviewResourceBaseHost}`;
-export const webviewGenericCspSource = `https://*.${webviewResourceBaseHost}`;
+export const webviewGenericCspSource = `'self' https://*.${webviewResourceBaseHost}`;
/**
* Construct a uri that can load resources inside a webview
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/service-worker.js
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/service-worker.js
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/service-worker.js
@@ -188,9 +188,11 @@ sw.addEventListener('fetch', (event) =>
}
}
- // If we're making a request against the remote authority, we want to go
- // back through VS Code itself so that we are authenticated properly
- if (requestUrl.host === remoteAuthority) {
+ // If we're making a request against the remote authority, we want to go back
+ // through VS Code itself so that we are authenticated properly. If the
+ // service worker is hosted on the same origin we will have cookies and
+ // authentication will not be an issue.
+ if (requestUrl.origin !== sw.origin && requestUrl.host === remoteAuthority) {
switch (event.request.method) {
case 'GET':
case 'HEAD':
Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
===================================================================
--- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
+++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
@@ -318,6 +318,12 @@ const hostMessaging = new class HostMess
const hostname = location.hostname;
+ // It is safe to run if we are on the same host.
+ const parent = new URL(parentOrigin)
+ if (parent.hostname === location.hostname) {
+ return start(parentOrigin)
+ }
+
if (!crypto.subtle) {
// cannot validate, not running in a secure context
throw new Error(`Cannot validate in current context!`);