Only allow webviews protocol in top level editor windows

2026-04-19 08:08:39 +01:00 · 2022-03-08 11:16:35 -08:00
parent 98e5315c0d
commit fa6ee6ce91
1 changed files with 32 additions and 0 deletions
--- a/src/vs/code/electron-main/app.ts
+++ b/src/vs/code/electron-main/app.ts
@@ -195,9 +195,41 @@ export class CodeApplication extends Disposable {
 			return false;
 		};

+		const isAllowedWebviewRequest = (details: Electron.OnBeforeRequestListenerDetails): boolean => {
+			const url = URI.parse(details.url);
+
+			// Only restrict top level page of webviews: index.html
+			if (url.path !== '/index.html') {
+				return true;
+			}
+
+			const frame = details.frame;
+			if (!frame || !this.windowsMainService) {
+				return false;
+			}
+
+			// Check to see if the request comes from one of the main editor windows.
+			for (const window of this.windowsMainService.getWindows()) {
+				if (window.win) {
+					if (frame.processId === window.win.webContents.mainFrame.processId) {
+						return true;
+					}
+				}
+			}
+
+			return false;
+		};
+
 		session.defaultSession.webRequest.onBeforeRequest((details, callback) => {
 			const uri = URI.parse(details.url);

+			if (uri.scheme === Schemas.vscodeWebview) {
+				if (!isAllowedWebviewRequest(details)) {
+					this.logService.error('Blocked vscode-webview request', details.url);
+					return callback({ cancel: true });
+				}
+			}
+
 			if (uri.scheme === Schemas.vscodeFileResource) {
 				if (!isAllowedVsCodeFileRequest(details)) {
 					this.logService.error('Blocked vscode-file request', details.url);