set COOP, COEP, and CORP headers for desktop #145539
Conversation
| headers: { | ||
| 'Cross-Origin-Opener-Policy': 'same-origin', | ||
| 'Cross-Origin-Embedder-Policy': 'require-corp', | ||
| 'Cross-Origin-Resource-Policy': 'cross-origin' |
There was a problem hiding this comment.
For webviews, the corp header needs to be added to
vscode/src/vs/workbench/contrib/webview/browser/pre/service-worker.js
Lines 269 to 273 in b8a5e18
<outer iframe> -> serves the static resources https://github.com/microsoft/vscode/tree/main/src/vs/workbench/contrib/webview/browser/pre
<inner iframe> -> hosts the extension and resources are served via the service worker of the outer frame
webviewProtocolProvider only handles serving the static resources for the outer iframe
/cc @mjbvz
There was a problem hiding this comment.
@deepak1556 Yes that sounds correct to me
Will adding this policy risk breaking existing webviews though? I'm not very familiar with cross origin embedder policy so I just want to make sure that if a webview loads an external resource today, adding this new header won't break them
There was a problem hiding this comment.
I'm not very familiar with cross origin embedder policy so I just want to make sure that if a webview loads an external resource today, adding this new header won't break them
Yeah, that's the question here. When a page runs with COEP set to require-corp all its external resources must use the CORP header. I am not sure if web views always and only fetch resources from within their extension bundle or if they also fetch external resources, like from a CDN. Iff so we need to make the crossOriginIsolation opt-in for webviews
There was a problem hiding this comment.
I'm not very familiar with cross origin embedder policy so I just want to make sure that if a webview loads an external resource today, adding this new header won't break them
https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit is a good primer on these headers
When COEP is set, external resources can also allow themselves to be loaded either with CORP header or CORS Access-Control-Allow-Origin header.
I like the idea of having this feature opt-in, COOP-COEP headers are necessary to gate access to exploitable web API (SharedArrayBuffers, performance.memory) and having extensions explicitly opt-in ensures that they validate external resources loaded obey the CORP/CORS rules and also these headers will isolate them from other extensions.
There was a problem hiding this comment.
Pushed a change to use 'Cross-Origin-Embedder-Policy': 'credentialless' for web views. That was the only combination of headers allowing the iframes to be loaded while them still being able to load "outside" content, like a random image from our homepage.
jrieken
force-pushed
the
joh/crossOriginIsolation
branch
from
ba75bde
to
67f3fd9
Compare
|
Please review. The renderer and the web worker extension host will be cross origin isolated with this PR. Web views won't. I still needed to add headers to them to load in the stricter context (CORP, COEP). I have tested with our markdown preview, our images preview, luna paint, and a webview panel that loads resources from the internet (not from within the extension) but please review/test carefully. |
|
Thanks @jrieken! I just tested a few webview extensions. Here's what I've found so far:
I'm taking a look into the live preview issue now |
|
The request that fails: I think this document may be relevant: https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md |
Signed-off-by: Babak K. Shandiz <[email protected]>
Signed-off-by: Babak K. Shandiz <[email protected]>
Signed-off-by: Babak K. Shandiz <[email protected]>
… contribution Signed-off-by: Babak K. Shandiz <[email protected]>
Signed-off-by: Babak K. Shandiz <[email protected]>
Fixed SignatureInformation.activeParameter comment
Button separator color on high-contrast themes (Fixes #155285)
joh/innocent tiger
joh/cruel hoverfly
For now only when checking for tabs, not yet for opening tabs
…n elements (#155317) Remove tabIndex from the label and description elements
Add ability to continue desktop edit session in vscode.dev
* replace list type filter and tree type label controller with list type navigation and tree find. use proper FindInput widget * make sure vim doesn't break * polish outline use case * 💄 * remove unused import
* add telemetry comments * update comments
joh/double barnacle
This PR is for #116715 and sets COOP, COEP and CORP headers so that the renderer and worker extension host are cross origin isolated. Tho, for webviews this doesn't work yet