Help webview extensions add a Content Security Policy

[mjbvz]

Many webview extensions do not currently set a content security policy. All webviews (even very simple ones) should set a content security policy. This is not a immediate security problem but a content security policy helps to limit the potential impact of content injections and is generally a good measure for defense in depth.

I've put together this initial list of extensions that create webviews that seem not to have a content security policy (there may be false positives). If you are feeling like a security hero, consider helping these extensions out by submitting a PR that adds a restrictive content security policy to their webviews. Here's our documentation to help you get started.

Let me know if an extension has been fixed or was incorrectly flagged

---

Key

• ❗️- Confirmed and issue opened
• ✔️ - Fixed
• ❓ - Can't confirm in current code in github master?
• Blank - Unconfirmed

Extensions

• ❗️ vscjava.vscode-java-pack - Webview does not set a content security policy vscode-java-pack#171
• ✔️ Shan.code-settings-sync - Webview does not set a content security policy shanalikhan/code-settings-sync#1010
• ❗️ shengchen.vscode-leetcode - Webview does not set a content security policy  LeetCode-OpenSource/vscode-leetcode#393
• ✔️ tomoki1207.pdf - Webview does not set a content security policy tomoki1207/vscode-pdfviewer#45
• humao.rest-client
• eamodio.gitlens
• platformio.platformio-ide
• ✔️ ms-python.python - https://github.com/microsoft/vscode-python/issues/7007
• ✔️James-Yu.latex-workshop
• shd101wyy.markdown-preview-enhanced
• ✔️ ms-mssql.mssql - https://github.com/microsoft/vscode-mssql/pull/1282/files#diff-8306d266d9ca46a40054bd378cc68948R5
• alefragnani.Bookmarks
• auchenberg.vscode-browser-preview
• streetsidesoftware.code-spell-checker
• donjayamanne.githistory
• anonimitoraf.handlebars-preview-with-function-support
• ❗️ ms-kubernetes-tools.vscode-kubernetes-tools - Webview does not set a content security policy vscode-kubernetes-tools/vscode-kubernetes-tools#600
• alefragnani.project-manager
• almenon.arepl
• johnstoncode.svn-scm
• nkokhelox.svg-font-previewer
• mtxr.sqltools
• TOTVS.tds-vscode
• nrwl.angular-console
• jebbs.plantuml
• ❓ Microsoft.vscode-nmake-tools
• karigari.chat
• GrapeCity.gc-excelviewer
• nondanee.vsc-netease-music
• tht13.html-preview-vscode
• particle.particle-vscode-core
• scalameta.metals
• kdcro101.vscode-redis
• jock.svg
• formulahendry.ycy
• ❓ms-vscode.cpptools
• attilabuti.vscode-mjml
• AzBlockchain.azure-blockchain
• ✔️ ms-edgedevtools.vscode-edge-devtools - Webview does not set a content security policy vscode-edge-devtools#91
• ms-vsliveshare.vsliveshare
• kruemelkatze.vscode-dashboard
• vsciot-vscode.azure-iot-tools
• JaimeOlivares.yuml
• vsciot-vscode.vscode-arduino
• alexcvzz.vscode-sqlite
• Equinusocio.vsc-material-theme
• bajdzis.vscode-database
• pomber.git-file-history
• alios.alios-studio
• Arjun.swagger-viewer
• Ionide.experimental-fsharp
• EFanZh.graphviz-preview
• ❗️ ms-ossdata.vscode-postgresql - https://github.com/microsoft/vscode-postgresql/issues/56
• dongli.python-preview
• Acrolinx.vscode-sidebar
• alefragnani.jenkins-status
• axosoft.gitkraken-glo
• jithurjacob.nbpreviewer
• vsciot-vscode.azure-iot-toolkit
• vsciot-vscode.vscode-iot-workbench
• WASTeamAccount.WebTemplateStudio-dev-nightly
• joaompinto.asciidoctor-vscode
• ego-digital.vscode-powertools
• Orta.vscode-jest
• ✔️ tht13.rst-vscode
• amazonwebservices.aws-toolkit-vscode
• ✔️ Ionide.Ionide-fsharp - Webview does not set a content security policy ionide/ionide-vscode-fsharp#1199
• yokawasa.jwt-debugger
• janisdd.vscode-edit-csv
• vitaliymaz.vscode-svg-previewer
• mrkanister.idef1xer
• Kelvin.vscode-sshfs

[ParkourKarthik]

I'll pick this up. Will start with code settings sync extension.

[utsavm9]

I worked on vitaliymaz.vscode-svg-previewer. It did have a CSP, which was not the most restrictive so maybe it was a false positive or maybe not.

[utsavm9]

@mjbvz I believe janisdd.vscode-edit-csv is a false positive as CSP exists in the extension. Is it here because it has unsafe-inline for its scripts and style as that is not restrictive?

[rchiodo]

We've just added a csp to the python extension, but we're still getting the warning? Does it have to be strict in order to not get the warning?

Here's our current CSP:

<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'unsafe-eval' vscode-resource: data: https: http:;">