From ac00898e447e8d5ea4b0ad120671fdb78622f7ab Mon Sep 17 00:00:00 2001 From: Joe Previte Date: Thu, 14 Apr 2022 14:26:15 -0700 Subject: [PATCH] fix: compare origins in fetch requests against remote authority (#147467) The previous implementation did not consider what would happen if webview resources were served from the same domain. By first comparing the requestUrl.orgin with the sw.orgin (similar to how it's done for localhost), this is no longer a problem. And since the requests have the same origin, authentication will never be an issue as cookies will exist. --- src/vs/workbench/common/webview.ts | 2 +- .../workbench/contrib/webview/browser/pre/service-worker.js | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/vs/workbench/common/webview.ts b/src/vs/workbench/common/webview.ts index aa598f1133d..1db1d451aff 100644 --- a/src/vs/workbench/common/webview.ts +++ b/src/vs/workbench/common/webview.ts @@ -22,7 +22,7 @@ export const webviewResourceBaseHost = 'vscode-cdn.net'; export const webviewRootResourceAuthority = `vscode-resource.${webviewResourceBaseHost}`; -export const webviewGenericCspSource = `https://*.${webviewResourceBaseHost}`; +export const webviewGenericCspSource = `'self' https://*.${webviewResourceBaseHost}`; /** * Construct a uri that can load resources inside a webview diff --git a/src/vs/workbench/contrib/webview/browser/pre/service-worker.js b/src/vs/workbench/contrib/webview/browser/pre/service-worker.js index 70534ee470d..81a45ab6ca7 100644 --- a/src/vs/workbench/contrib/webview/browser/pre/service-worker.js +++ b/src/vs/workbench/contrib/webview/browser/pre/service-worker.js @@ -189,8 +189,10 @@ sw.addEventListener('fetch', (event) => { } // If we're making a request against the remote authority, we want to go - // back through VS Code itself so that we are authenticated properly - if (requestUrl.host === remoteAuthority) { + // through VS Code itself so that we are authenticated properly. If the + // service worker is hosted on the same origin we will have cookies and + // authentication will not be an issue. + if (requestUrl.origin !== sw.origin && requestUrl.host === remoteAuthority) { switch (event.request.method) { case 'GET': case 'HEAD':