Port - Restrict which sites out webview iframe can frame (#18495)

* protocol handler - normalize paths * use `extUri` for normalizing paths * :lipstick; * Add content security policy to top level webview This change hardens our webviews by adding a fairly restrictive csp to them. This CSP should only apply to the outer webview iframe, not to the inner iframe which is controlled by extensions Co-authored-by: Benjamin Pasero <benjamin.pasero@microsoft.com> Co-authored-by: Matt Bierner <matb@microsoft.com>
2026-02-16 10:58:30 -05:00 · 2022-02-18 15:12:21 -08:00
parent eff847f35a
commit e0cb88599d
2 changed files with 24 additions and 12 deletions
--- a/src/vs/workbench/contrib/webview/browser/pre/index.html
+++ b/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -4,6 +4,8 @@
 <head>
 	<meta charset="UTF-8">

+	<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+
 	<!-- Disable pinch zooming -->
 	<meta name="viewport"
 		content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">