search

theia-ide / theia-apps

Theia applications examples - docker images, desktop apps, packagings
Apache License 2.0
1.04k stars 345 forks source link

Mini Web Browser got broken after theiaide/theia:1.7.0 #467

Open gurumark opened 3 years ago

gurumark commented 3 years ago

Hello,

Using theiaide/theia image, WebView plugin fails to load content with the following: da556bfe-8650-4c80-b53d-8047c00375d1.10.0.0.13 ’s server IP address could not be found.

I was able to make it work using theiaide/theia:1.7.0 image. So something got broken after theiaide/theia:1.7.0 or theiaide/theia:1.8.0. Starting with theiaide/theia:1.9.0 image, I started getting the error.

Thank you.

paul-marechal commented 3 years ago

The quick but not recommended fix is to set THEIA_MINI_BROWSER_HOST_PATTERN={{hostname}}. See Theia's CHANGELOG.md.

But it is recommended to support virtual hosts one way or the other to serve the mini-browser and webview content.

marcdumais-work commented 3 years ago

The quick but not recommended fix is to set THEIA_MINI_BROWSER_HOST_PATTERN={{hostname}}. See Theia's CHANGELOG.md.

But it is recommended to support virtual hosts one way or the other to serve the mini-browser and webview content.

I guess we already do similar with the webview equivalent, so it may make sense to do it for the mini-browser too. Correct me if I'm wrong but this may be the only way to have a fully-working IDE without (each user) figuring-out how to setup the necessary infrastructure to support virtual hosts?

However doing either/both introduces some security concerns. Maybe we should make that clear in the main README?

stale[bot] commented 3 years ago

This contribution has been automatically marked as stale due to inactivity, and it will be closed if no further activity occurs. Thank you for contributing to Theia!

marcdumais-work commented 3 years ago

My thought is to make an enhancement to Eclipse Theia, to warn, at browser app start-up, if either webviews or the mini-browser are not optimally configured for security. Once we have that, I think we can configure them in examples here, to just work, and the user will be made aware of the fact at every front-end app startup.

marcdumais-work commented 3 years ago

@paul-marechal @vince-fugnitto any thoughts how to best implement that? Could each component check at startup if they are configured to deploy each webview on its own, unique origin. If not, emit a warning toast message that states the app is not currently configured for optimal secure $X and provide a link with more info?