Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit060ad10

Browse files
authored
Merge pull requestcoderoad#525 from coderoad/fix/sha-hash-exemptions
resolve sha hash exemptions
2 parentse9b2af8 +67e4bc9 commit060ad10

File tree

2 files changed

+16
-4
lines changed

2 files changed

+16
-4
lines changed

‎src/commands.ts

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,6 @@ export const send = (action: T.Action): void => {
3333
}
3434

3535
exportconstcreateCommands=(commandProps:CreateCommandProps):{[key:string]:any}=>{
36-
console.log(commandProps)
3736
const{ extensionPath, workspaceState}=commandProps
3837
// React panel webview
3938
letwebview:any

‎src/services/webview/render.ts

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
2727

2828
// used for CSP
2929
constnonces:string[]=[]
30+
consthashes:string[]=[]
3031

3132
// generate vscode-resource build path uri
3233
constcreateUri=(_filePath:string):any=>{
@@ -50,7 +51,12 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
5051
// support additional CSP exemptions when CodeRoad is embedded
5152
if(CONTENT_SECURITY_POLICY_EXEMPTIONS&&CONTENT_SECURITY_POLICY_EXEMPTIONS.length){
5253
for(constexemptionofCONTENT_SECURITY_POLICY_EXEMPTIONS.split(' ')){
53-
nonces.push(exemption)
54+
// sha hashes should not be prefixed with 'nonce-'
55+
if(exemption.match(/^sha/)){
56+
hashes.push(exemption)
57+
}else{
58+
nonces.push(exemption)
59+
}
5460
}
5561
}
5662

@@ -71,17 +77,24 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
7177
}
7278

7379
// set CSP (content security policy) to grant permission to local files
80+
// while blocking unexpected malicious network requests
7481
constcspMeta:HTMLMetaElement=document.createElement('meta')
7582
cspMeta.httpEquiv='Content-Security-Policy'
83+
84+
constwrapInQuotes=(str:string)=>`'${str}'`
85+
constnonceString=nonces.map((nonce:string)=>wrapInQuotes(`nonce-${nonce}`)).join(' ')
86+
consthashString=hashes.map(wrapInQuotes).join(' ')
87+
7688
cspMeta.content=
7789
[
7890
`default-src 'self'`,
91+
`manifest-src${hashString} 'self'`,
7992
`connect-src https: http:`,
8093
//@ts-ignore
8194
`font-src${panel.webview.cspSource} http: https: data:`,
8295
//@ts-ignore
8396
`img-src${panel.webview.cspSource} https:`,
84-
`script-src${nonces.map((nonce)=>`'nonce-${nonce}'`).join(' ')} data:`,
97+
`script-src${nonceString}${hashString} data:`,
8598
//@ts-ignore
8699
`style-src${panel.webview.cspSource} https: 'self' 'unsafe-inline'`,
87100
].join('; ')+';'
@@ -92,7 +105,7 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
92105

93106
// set view
94107
panel.webview.html=html
95-
}catch(error){
108+
}catch(error:any){
96109
onError(error)
97110
console.error(error)
98111
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp