Prevent the blue warning strip at the top that keeps popping up

[github-account1111]

Steps to Reproduce:

1. Append "editor.unicodeHighlight.nonBasicASCII": true, to the settings json.
2. Open a document w/ many non-ascii chars

I realize non-ascii chars are highlighted and no I don't want to disable it - after all I was the one who enabled that option. Why does it feel the need to keep reminding me of that? Accomplishes nothing but look out of place and take up screen space. Maybe in addition to the "Disable highlights" button there should be a "Don't show again" one.

[hediet]

For large files with potentially thousands of non-basic ascii characters, we cannot highlight them all, as that would get slow for technical reasons.

Thus, there is a limit. When this limit is exceeded, this message is shown to prevent certain attacks (e.g. by artifically adding thousands of invisible character just to exceed that limit).

When you would click on "never show again", and we don't highlight these characters (or all of them), it might give a false sense of security.

I'm up for introducing a setting to configure that limit.

[github-account1111]

When you would click on "never show again", and we don't highlight these characters (or all of them), it might give a false sense of security.

I don't see how. Sense of security presumes feeling threatened otherwise. I don't feel threatened in any way when seeing the banner, only annoyed. Using a banner like that against hypothetical attacks smells of security theater because if you think about it, it gives a false sense of security.

I also assume you aren't highlighting the chars that are out of the current window view (that would just be a waste of resources), so why does it matter if it's thousands or hundreds of thousands?

[BrianJDrake]

When you would click on "never show again", and we don't highlight these characters (or all of them), it might give a false sense of security.

I don't see how. Sense of security presumes feeling threatened otherwise. I don't feel threatened in any way when seeing the banner, only annoyed. Using a banner like that against hypothetical attacks smells of security theater because if you think about it, it gives a false sense of security.

@github-account1111 @gonzzza007 I don't understand this comment. Maybe you don't realise (understandable, given the lack of warning in VS Code) that special characters are a security issue: see Trojan Source and Imperceptible Perturbations.

[github-account1111]

@BrianJDrake,

That's not what the banner is for.

The banner is for disabling highlighting special characters in case they are annoying (as is obvious from the only available action), but the banner itself is significantly more annoying than said special characters. It pops up every time I tab into a file with lots of special characters, e.g. a Japanese one. I close it, tab into a different file, tab back into the Japanese one, and the cursed banned pops up again.

No, I don't want to disable highlights. Microsoft, do you think I went out of my way by manually enabling the option to then want to not have highlights?

[BrianJDrake]

The banner is for disabling highlighting special characters in case they are annoying (as is obvious from the only available action)

If that was the purpose of the banner, it would be displayed whenever the highlighting was displayed. But the actual behaviour is the opposite of that: the banner is only displayed when the highlighting is not displayed, because displaying the highlighting would be too expensive.

I emphasise what I said above: special characters are a security risk, so much so that the Trojan Source authors recommended that development tools include warnings:

Code editors and repository frontends should make bidirectional control characters and mixed-script confusable characters perceptible with visual symbols or warnings.

Perhaps the banner is not the best way to help all users manage that risk, but please stop downplaying the risk itself.

You emphasise that you deliberately enabled the highlighting. Apparently you didn't do so because of the security risks I mentioned, but for some other reason. What was that reason?

[Traae]

I also want this message disabled. It's infuriating.

[github-account1111]

@BrianJDrake I previously did not see your reply, so I'll reply now.

If that was the purpose of the banner, it would be displayed whenever the highlighting was displayed. But the actual behaviour is the opposite of that: the banner is only displayed when the highlighting is not displayed, because displaying the highlighting would be too expensive.

Yes, too expensive, not "a security risk."

You emphasise that you deliberately enabled the highlighting. Apparently you didn't do so because of the security risks I mentioned, but for some other reason. What was that reason?

Special characters are problematic in programming. There are several special versions of the whitespace and the quote characters which are hard-to-impossible to spot with a naked eye. That is the actual purpose of this setting, not security.

Your theory about the security risk is wrong man. If it were the actual purpose it wouldn't be a non-default setting that needs to be enabled manually. There's not a single mention of security, just look at the setting name, description and the section it's in.

[BrianJDrake]

@github-account1111

Special characters are problematic in programming. There are several special versions of the whitespace and the quote characters which are hard-to-impossible to spot with a naked eye.

The first sentence just says 'special characters', but the second sentence is about very specific types of special characters, which should be covered by other settings (the settings for invisible characters and ambiguous characters). If those settings are not enough, perhaps VS Code should change them or add similar settings. But that is probably off-topic in this issue.

Your theory about the security risk is wrong man.

It is not 'my theory'. It comes from the Trojan Source and Imperceptible Perturbations research cited above and other sources cited below, including the VS Code developers.

If it were the actual purpose it wouldn't be a non-default setting that needs to be enabled manually.

Highlighting of all non-basic ASCII characters is enabled by default in Restricted Mode (see below).

There's not a single mention of security, just look at the setting name, description and the section it's in.

That just means that the VS Code user interface is deficient. I did acknowledge that problem earlier (and I will open a relevant issue here):

Maybe you don't realise (understandable, given the lack of warning in VS Code) that special characters are a security issue ....

It turns out that the official purpose of this highlighting is security.

This highlighting was introduced in #137508, a pull request to implement issue #136437. That issue does not clearly say the purpose of the highlighting, but does mention security issues (including the Trojan Source research that I cited above). More importantly, that pull request uses default setting values derived from the trust state.

That pull request also links to the relevant release notes:

You can read "The Invisible JavaScript Backdoor" blog post or this University of Cambridge article for how invisible or confusable Unicode characters can be used in Unicode spoofing attacks.

Note that this feature does not detect all possible Unicode spoofing attacks, as this depends on your font and locale settings. Also, the detection of ambiguous characters is done heuristically. To be on the safe side, VS Code's Workspace Trust Restricted Mode should be used to review source code, as all non-ASCII characters are highlighted in untrusted workspaces.

GitHub also says that this feature is important for security. Their blog post about the bidirectional Unicode text warning says:

A warning is now displayed when a file's contents include bidirectional Unicode text. ... This can cause code to appear one way and be interpreted or compiled another way.

...

To review a file for which this warning is displayed, open it in an editor ... like Visual Studio Code which highlights the characters by default.