Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Behind quite a strict CSP - workarounds / what's the minimum CSP for code-server to work? #7171

Unanswered
michalc asked this question in Q&A
Discussion options

Hi,

I'm trying to run code-server behind a fairly strict CSP, and getting a large number of CSP errors like this:

Refused to set the document's base URI to 'https://vscode-remote+[snip]vscode-resource.vscode-cdn.net/home/dw-user/' because it violates the following Content Security Policy directive: [snip]

Refused to load the script 'https://vscode-remote+[snip].vscode-resource.vscode-cdn.net/etc/code-server/extensions/ms-toolsai.jupyter-2024110-universal/dist/webviews/webview-side/ipywidgetsKernel/ipywidgetsKernel.js' because it violates the following Content Security Policy directive: [snip]

(And then some functionality is broken, for example Jupyter notebooks won't run/render content)

So my question are:

  • Are there any work arounds to this - say some configuration to change?
  • What would the minimum CSP be to get code-server to work?
You must be logged in to vote

Replies: 1 comment 1 reply

Comment options

So I have got notebooks working by opening up the CSP in a dev environment, and specifically by adding https://*.vscode-resource.vscode-cdn.net/ to both the base-uri and script-src components of the CSP.

But I think this is too open for our production environment, so suggestions on how to tackle this are welcome
You must be logged in to vote
1 reply
Comment options

I am not entirely sure what the minimum is, VS Code already comes with CSP tags and we just use those as-is. I am not sure if they are minimal, but the main one is here:

https://github.com/microsoft/vscode/blob/main/src/vs/code/electron-sandbox/workbench/workbench.html

There are other html files with CSP tags, but I am not entirely sure which ones are relevant.

The https://vscode-remote+ URLs are interesting because, if I recall correctly, these are resolved by the service worker and not actually made as regular requests (although I could be wrong), so in theory we could make them anything. I think they have to be a different origin for security reasons, but possibly we could make it configurable.

If they are actual requests, we should change this, because we want code-server is to be fully self-contained and not reaching out to some CDN.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /