mjbvz
commented
4 years ago Friendly ping. All Microsoft extensions should really have the extra level of protection a strict CSP brings :)
Open mjbvz opened 4 years ago
mjbvz
commented
4 years ago Friendly ping. All Microsoft extensions should really have the extra level of protection a strict CSP brings :)
Hi, I'm the developer of VS Code's webview API. I noticed that your extension seems to create a webview that does not set a content security policy. All webviews (even very simple ones) should set a content security policy. This helps limit the potential impact of content injections and is generally a good measure for defense in depth.
We've documented how to add a content security policy to VS Code webviews here. Please add the most restrictive content security policy possible to your webview. I am not aware of any immediate security issues with your extension but having a restrictive content security policy is important to help protect users of your extension.
Also note that in development mode, in VS Code 1.38 you should also see a warning if you create a webview that does not set a content security policy: https://github.com/microsoft/vscode/issues/79248