relax CSP policy to address vim extension installation problem (#142)

feiyangliu2023 · Feiyang Liu · web-flow · commit d41b9d790d1b · 2026-02-11T14:54:24.000+01:00
Co-authored-by: Feiyang Liu &lt;lfeiyang@amazon.nl&gt;
diff --git a/patches/common/preapplied/remove-unsafe-headers.diff b/patches/common/preapplied/remove-unsafe-headers.diff
@@ -24,19 +24,6 @@ Index: third-party-src/src/vs/workbench/contrib/notebook/browser/view/renderers/
  					style-src ${webviewGenericCspSource} 'unsafe-inline';
  					img-src ${webviewGenericCspSource} https: http: data:;
  					font-src ${webviewGenericCspSource} https:;
-Index: third-party-src/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
-===================================================================
---- third-party-src.orig/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
-+++ third-party-src/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
-@@ -4,7 +4,7 @@
- 		<meta http-equiv="Content-Security-Policy" content="
- 			default-src 'none';
- 			child-src 'self' data: blob:;
--			script-src 'self' 'unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
-+			script-src 'self' 'wasm-unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
- 			connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
- 	</head>
- 	<body>
 Index: third-party-src/src/vs/code/electron-browser/workbench/workbench-dev.html
 ===================================================================
 --- third-party-src.orig/src/vs/code/electron-browser/workbench/workbench-dev.html
@@ -62,4 +49,4 @@ Index: third-party-src/src/vs/code/electron-browser/workbench/workbench.html
 +					'wasm-unsafe-eval'
  					blob:
  				;
- 				style-src
+ 				style-src
diff --git a/patches/web-embedded/remove-unsafe-eval-and-unsafe-inline-from-csp-direct.diff b/patches/web-embedded/remove-unsafe-eval-and-unsafe-inline-from-csp-direct.diff
@@ -65,7 +65,7 @@ Index: third-party-src/src/vs/workbench/services/extensions/worker/webWorkerExte
  		<meta http-equiv="Content-Security-Policy" content="
  			default-src 'none';
  			child-src 'self' data: blob:;
--			script-src 'self' 'wasm-unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
+-			script-src 'self' 'unsafe-eval' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
 +			script-src 'self' 'sha256-cl8ijlOzEe+0GRCQNJQu2k6nUQ0fAYNYIuuKEm72JDs=' https: http://localhost:* blob:;
  			connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
  	</head>
