From 69fd57e4dc6613d430fe8b7012de70013c811a9b Mon Sep 17 00:00:00 2001
From: Matt Bierner <matb@microsoft.com>
Date: Thu, 15 Jun 2017 13:04:08 -0700
Subject: [PATCH] Add CSP To Root Document (#28670)

* Add CSP To Root Document

Adds a content security policy to the root vscode document. This limits what can be loaded. Important changes:

* Connect-src is limited to `self` or `https:`
* script-src is limited to `self`
* object and child-src are limited to `self`
* Media allows `self` `http` `https` and `data`

* Add preload to gulp

* Default to none

* Don't use let in preload
---
 build/gulpfile.vscode.js                      |  3 +-
 .../electron-browser/bootstrap/index.html     | 37 +-----------------
 .../electron-browser/bootstrap/preload.js     | 39 +++++++++++++++++++
 3 files changed, 43 insertions(+), 36 deletions(-)
 create mode 100644 src/vs/workbench/electron-browser/bootstrap/preload.js

diff --git a/build/gulpfile.vscode.js b/build/gulpfile.vscode.js
index 1af153e1e81..453b44df066 100644
--- a/build/gulpfile.vscode.js
+++ b/build/gulpfile.vscode.js
@@ -214,7 +214,8 @@ function packageTask(platform, arch, opts) {
 			'vs/workbench/electron-browser/workbench.main.js',
 			'vs/workbench/electron-browser/workbench.main.css',
 			'vs/workbench/electron-browser/bootstrap/index.html',
-			'vs/workbench/electron-browser/bootstrap/index.js'
+			'vs/workbench/electron-browser/bootstrap/index.js',
+			'vs/workbench/electron-browser/bootstrap/preload.js'
 		]);
 
 		const src = gulp.src(out + '/**', { base: '.' })
diff --git a/src/vs/workbench/electron-browser/bootstrap/index.html b/src/vs/workbench/electron-browser/bootstrap/index.html
index 1474a70e097..29b73eae7c1 100644
--- a/src/vs/workbench/electron-browser/bootstrap/index.html
+++ b/src/vs/workbench/electron-browser/bootstrap/index.html
@@ -3,43 +3,10 @@
 <html>
 	<head>
 		<meta charset="utf-8" />
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self' http: https: data:; media-src 'self' http: https: data:; child-src 'self'; object-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https:; font-src 'self' https:;">
 	</head>
 	<body class="monaco-shell vs-dark" aria-label="">
-		<script>
-			(function() {
-				function getConfig() {
-					let queryParams = window.location.search.substring(1).split('&');
-					for (let i = 0; i < queryParams.length; i++) {
-						var kv = queryParams[i].split('=');
-						if (kv[0] === 'config' && kv[1]) {
-							return JSON.parse(decodeURIComponent(kv[1]));
-						}
-					}
-					return {};
-				}
-				try {
-					let config = getConfig();
-					let document = window.document;
-
-					// sets the base theme class ('vs', 'vs-dark', 'hc-black')
-					let baseTheme = config.baseTheme || 'vs';
-					document.body.className = 'monaco-shell ' + baseTheme;
-
-					// adds a stylesheet with the backgrdound color
-					let backgroundColor = config.backgroundColor;
-					if (!backgroundColor) {
-						backgroundColor = baseTheme === 'hc-black' ? '#000000' : (baseTheme === 'vs' ? '#FFFFFF' : '#1E1E1E');
-					}
-					let foregroundColor = baseTheme === 'hc-black' ? '#FFFFFF' : (baseTheme === 'vs' ? '#6C6C6C' : '#CCCCCC');
-					let style = document.createElement('style');
-					style.innerHTML = '.monaco-shell { background-color:' + backgroundColor + '; color:' + foregroundColor + '; }';
-					document.head.appendChild(style);
-
-				} catch (error) {
-					console.error(error);
-				}
-			})();
-		</script>
+		<script src="preload.js"></script>
 	</body>
 
 	<!-- Startup via index.js -->
diff --git a/src/vs/workbench/electron-browser/bootstrap/preload.js b/src/vs/workbench/electron-browser/bootstrap/preload.js
new file mode 100644
index 00000000000..d451c2d5fb7
--- /dev/null
+++ b/src/vs/workbench/electron-browser/bootstrap/preload.js
@@ -0,0 +1,39 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+'use strict';
+
+(function() {
+	function getConfig() {
+		const queryParams = window.location.search.substring(1).split('&');
+		for (var i = 0; i < queryParams.length; i++) {
+			var kv = queryParams[i].split('=');
+			if (kv[0] === 'config' && kv[1]) {
+				return JSON.parse(decodeURIComponent(kv[1]));
+			}
+		}
+		return {};
+	}
+	try {
+		const config = getConfig();
+		const document = window.document;
+
+		// sets the base theme class ('vs', 'vs-dark', 'hc-black')
+		const baseTheme = config.baseTheme || 'vs';
+		document.body.className = 'monaco-shell ' + baseTheme;
+
+		// adds a stylesheet with the backgrdound color
+		var backgroundColor = config.backgroundColor;
+		if (!backgroundColor) {
+			backgroundColor = baseTheme === 'hc-black' ? '#000000' : (baseTheme === 'vs' ? '#FFFFFF' : '#1E1E1E');
+		}
+		const foregroundColor = baseTheme === 'hc-black' ? '#FFFFFF' : (baseTheme === 'vs' ? '#6C6C6C' : '#CCCCCC');
+		const style = document.createElement('style');
+		style.innerHTML = '.monaco-shell { background-color:' + backgroundColor + '; color:' + foregroundColor + '; }';
+		document.head.appendChild(style);
+
+	} catch (error) {
+		console.error(error);
+	}
+})();
\ No newline at end of file