search

microsoft / vscode-python-devicesimulator

Device Simulator Express, a Microsoft Garage project
https://marketplace.visualstudio.com/items?itemName=ms-python.devicesimulatorexpress
Other
174 stars 47 forks source link

Webview resources #375

Closed xnkevinnguyen closed 4 years ago

xnkevinnguyen commented 4 years ago

This PR addresses #374 . This PR includes the following changes:

-Add Content security policy for scripts with meta tag to only load vscode ressources scripts -Load local script ressources on Webview using  Webview.asWebviewUri function instead of hardcoding vscode-resources. -Changes have been made to the configuration of webpack to not use eval on dev which is forbidden by the content security policy

The changes follow this sample from the vscode extension team: https://github.com/Microsoft/vscode-extension-samples/blob/master/webview-sample/README.md

Testing scenarios : These can be done on the html document loaded into the web view in src/service/webviewService.ts

  1. Inject inline html without the bounce hash on the html document lo should be sanitized
  2. Loading a script outside of the vscode ressources shouldn’t work The last two script blocks should be sanitized. `

    `

msftclas commented 4 years ago

CLA assistant check
All CLA requirements met.

xnkevinnguyen commented 4 years ago

/AzurePipelines run

azure-pipelines[bot] commented 4 years ago
Commenter does not have sufficient privileges for PR 375 in repo microsoft/vscode-python-devicesimulator
andreamah commented 4 years ago

/AzurePipelines run

azure-pipelines[bot] commented 4 years ago
No pipelines are associated with this pull request.
xnkevinnguyen commented 4 years ago

Thanks for reviewing @isadorasophia ! Seems like I can't run the pipeline nor merge anymore @andreamah

andreamah commented 4 years ago

/AzurePipelines run

azure-pipelines[bot] commented 4 years ago
No pipelines are associated with this pull request.