fix: Update webview CSP security hash (!98) · Merge requests · GitLab.org / gitlab-web-ide-vscode-fork

Enrique Alcántara requested to merge update-webview-csp-script-hash into main Sep 02, 2024

What does this MR do?

In gitlab-web-ide!365 (merged), we identified that the script-src directive's SHA in the file vscode/src/vs/workbench/contrib/webview/browser/pre/index.html is outdated. This Merge Request sets a new SHA that represents the content of the inline scripts in this file.

How to test?

Checkout the Merge Request gitlab-web-ide!365 (merged) in the Web IDE.

Apply the following patch:

diff --git a/packages/vscode-bootstrap/src/start.ts b/packages/vscode-bootstrap/src/start.ts
index 14e8843..965ae15 100644
--- a/packages/vscode-bootstrap/src/start.ts
+++ b/packages/vscode-bootstrap/src/start.ts
@@ -99,12 +99,12 @@ const BASE_OPTIONS: Partial<IWorkbenchConstructionOptions> = {
     privacyStatementUrl: '',
     showTelemetryOptOut: false,
     // 'commit' should be same as vscode_version.json
-    commit: 'e258f22fc8fe0545997a22514e315837d8145c34',
+    commit: '13ced324819b4f7f2476af7069c7042b52b6232d',
     quality: 'stable',
     webviewContentExternalBaseUrlTemplate:
-      'https://{{uuid}}.cdn.web-ide.gitlab-static.net/web-ide-vscode/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/',
+      'https://{{uuid}}.staging.cdn.web-ide.gitlab-static.net/web-ide-vscode/{{quality}}/{{commit}}/out/vs/workbench/contrib/webview/browser/pre/',
     webEndpointUrlTemplate:
-      'https://{{uuid}}.cdn.web-ide.gitlab-static.net/web-ide-vscode/{{quality}}/{{commit}}',
+      'https://{{uuid}}.staging.cdn.web-ide.gitlab-static.net/web-ide-vscode/{{quality}}/{{commit}}',
     trustedExtensionAuthAccess: ['gitlab.gitlab-workflow', WEB_IDE_EXTENSION_ID],
   },
 };

The Web views like GitLab Duo Chat should work correctly.

Edited Sep 02, 2024 by Enrique Alcántara

fix: Update webview CSP security hash

What does this MR do?

How to test?

Merge request reports