Microsoft/vscode
1
0
Fork 0
mirror of https://github.com/microsoft/vscode.git synced 2026-05-21 23:59:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow loading webview outside of file: origin (#41698)

Browse Source 
* Allow loading webview outside of file: origin

**Problem**
Webviews are currently always loaded from a file on the disk. This results in the webview running in the file origin, potentially allowing it to access any file on disk. If a webview fails to sanitize workspace or remote input, untrusted code could potentially access files on the user's system.

**Fix**
Add a new option to serve the webview out of a "data:" uri instead. This prevents access to `file://` resources.

In order to allow webviews to still load resources from disk, add a new protocol called `vscode-core-resource://` that only allows access to resources inside of the vscode directory.

Moves extension pages and our release notes to use this new option. These already are pretty locked down. We cannot move the htmlpreview command to use this option as it would break a huge number of existing extensions, however the new webview API will always have this new option enabled.

* Shorted protocol name
This commit is contained in:
Matt Bierner
2018-01-16 12:50:14 -08:00
committed by GitHub
parent 42de6cc82f
commit cbf9ae23ed
6 changed files with 95 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/vs/code/electron-main/app.ts
+10 -2
View File
@@ -126,8 +126,16 @@ export class CodeApplication {
}
});
const isValidWebviewSource = (source: string) =>
!source || (URI.parse(source.toLowerCase()).toString() as any).startsWith(URI.file(this.environmentService.appRoot.toLowerCase()).toString());
const isValidWebviewSource = (source: string): boolean => {
if (!source) {
return false;
}
if (source === 'data:text/html;charset=utf-8,%3C%21DOCTYPE%20html%3E%0D%0A%3Chtml%20lang%3D%22en%22%20style%3D%22width%3A%20100%25%3B%20height%3A%20100%25%22%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3EVirtual%20Document%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%20style%3D%22margin%3A%200%3B%20overflow%3A%20hidden%3B%20width%3A%20100%25%3B%20height%3A%20100%25%22%3E%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E') {
return true;
}
const srcUri: any = URI.parse(source.toLowerCase()).toString();
return srcUri.startsWith(URI.file(this.environmentService.appRoot.toLowerCase()).toString());
};
app.on('web-contents-created', (_event: any, contents) => {
contents.on('will-attach-webview', (event: Electron.Event, webPreferences, params) => {