search

Gruntfuggly / activitusbar

A VSCode extension to save some real estate by recreating the activity bar buttons on the status bar
Other
116 stars 15 forks source link

Workspace Trust support #47

Closed notpushkin closed 1 year ago

notpushkin commented 3 years ago

Right now Codium 1.59.1 (I'll test on official VS Code build a bit later) blocks the extension if running in Restricted Mode:

Screenshot_2021-09-04_23-28-04

As I see from studying the Workspace Trust Extension Guide, there's two ways to mitigate that:

  1. Add untrustedWorkspaces: { supported: true } capability and limit all configuration properties to the application scope (so that workspaces can't override our settings, which is not really useful anyway IMO), or
  2. Add untrustedWorkspaces: { supported: 'limited' } capability and restrict all configuration just to trusted workspaces.

The reason we need to disable reading settings from the (untrusted) workspaces is e. g. a malicious actor can override activitusbar.views with something along the lines of

[
  {
    "name": "command.do.something.really.evil",
    "codicon": "explorer-view-icon"
  },
  // ... etc
]

What do you think?

notpushkin commented 3 years ago

Just noticed the activitusbar.combineWorkspaceSettings, so perhaps the second approach would work better. I'm really curious about the use cases for this, though :-)