fix: Add Content-Security-Policy to webviews (#171) (#1648)

Author: chagong

src/beginner-tips/index.ts

@@ -109,11 +109,13 @@ class BeginnerTipsPage {
 
 		// Use a nonce to whitelist which scripts can be run
 		const nonce = getNonce();
+		const cspSource = this._panel!.webview.cspSource;
 
 		return `<!DOCTYPE html>
 			<html lang="en">
 			<head>
 				<meta charset="utf-8">
+				<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
 				<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
 				<meta name="theme-color" content="#000000">
 				<title>${WEBVIEW_TITLE}</title>

src/ext-guide/index.ts

@@ -74,10 +74,12 @@ function getHtmlForWebview(webviewPanel: vscode.WebviewPanel, scriptPath: string
 
   // Use a nonce to whitelist which scripts can be run
   const nonce = getNonce();
+  const cspSource = webviewPanel.webview.cspSource;
   return `<!DOCTYPE html>
   <html lang="en">
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
     <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
     <meta name="theme-color" content="#000000">
     <title>Java Extensions Guide</title>

src/formatter-settings/index.ts

@@ -158,10 +158,12 @@ export class JavaFormatterSettingsEditorProvider implements vscode.CustomTextEdi
 
         // Use a nonce to whitelist which scripts can be run
         const nonce = getNonce();
+        const cspSource = this.webviewPanel!.webview.cspSource;
         return `<!DOCTYPE html>
           <html lang="en">
           <head>
             <meta charset="utf-8">
+            <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
             <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
             <meta name="theme-color" content="#000000">
             <title>Java Formatter Settings</title>

src/install-jdk/index.ts

@@ -143,11 +143,13 @@ class InstallJdkPage {
 
 		// Use a nonce to whitelist which scripts can be run
 		const nonce = getNonce();
+		const cspSource = this._panel!.webview.cspSource;
 
 		return `<!DOCTYPE html>
 			<html lang="en">
 			<head>
 				<meta charset="utf-8">
+				<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
 				<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
 				<meta name="theme-color" content="#000000">
 				<title>React App</title>

src/java-runtime/index.ts

@@ -165,11 +165,13 @@ function getHtmlForWebview(webviewPanel: vscode.WebviewPanel, scriptPath: string
 
   // Use a nonce to whitelist which scripts can be run
   const nonce = getNonce();
+  const cspSource = webviewPanel.webview.cspSource;
 
   return `<!DOCTYPE html>
   <html lang="en">
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
     <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
     <meta name="theme-color" content="#000000">
     <title>Configure Java Runtime</title>

src/overview/index.ts

@@ -114,11 +114,13 @@ function getHtmlForWebview(webviewPanel: vscode.WebviewPanel, scriptPath: string
 
   // Use a nonce to whitelist which scripts can be run
   const nonce = getNonce();
+  const cspSource = webviewPanel.webview.cspSource;
 
   return `<!DOCTYPE html>
   <html lang="en">
   <head>
     <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
     <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
     <meta name="theme-color" content="#000000">
     <title>Java Overview</title>

src/project-settings/projectSettingsView.ts

@@ -195,10 +195,12 @@ class ProjectSettingView {
 
         // Use a nonce to whitelist which scripts can be run
         const nonce = getNonce();
+        const cspSource = webview.cspSource;
         return `<!DOCTYPE html>
         <html lang="en">
         <head>
             <meta charset="utf-8">
+            <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
             <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
             <meta name="theme-color" content="#000000">
             <title>Project Settings</title>

src/welcome/index.ts

@@ -104,10 +104,12 @@ function getHtmlForWebview(webviewPanel: vscode.WebviewPanel, scriptPath: string
 
     // Use a nonce to whitelist which scripts can be run
     const nonce = getNonce();
+    const cspSource = webviewPanel.webview.cspSource;
     return `<!DOCTYPE html>
     <html lang="en">
     <head>
         <meta charset="utf-8">
+        <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src ${cspSource} https: data:; script-src 'nonce-${nonce}'; style-src ${cspSource} 'unsafe-inline'; font-src ${cspSource} https: data:;">
         <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
         <meta name="theme-color" content="#000000">
         <title>Java Help Center</title>