Hi, I'm the developer of VS Code's webview API. I noticed that your extension seems to create a webview that does not set acontent security policy. All webviews (even very simple ones) should set a content security policy. This helps limit the potential impact of content injections and is generally a good measure for defense in depth.

We've documented how to add a content security policy to VS Code webviewshere. Please add the most restrictive content security policy possible to your webview. I am not aware of any immediate security issues with your extension but having a restrictive content security policy is important to help protect users of your extension.

Also note that in development mode, in VS Code 1.38 you should also see a warning if you create a webview that does not set a content security policy:microsoft/vscode#79248