Don't use 'self' for image editor csp
On desktop, we now serve webview resources from a different origin than the webview itself. This means we no longer can use `'self'` in our CSP as shorthand and instead should always use the provided `cspSource`
This commit is contained in:
Matt Bierner
parent
044a99585c
commit
9c9e188aa0
1 changed files with 2 additions and 1 deletions
|
|
@ -212,6 +212,7 @@ class Preview extends Disposable {
|
|||
|
||||
const nonce = Date.now().toString();
|
||||
|
||||
const cspSource = this.webviewEditor.webview.cspSource;
|
||||
return /* html */`<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
|
|
@ -225,7 +226,7 @@ class Preview extends Disposable {
|
|||
|
||||
<link rel="stylesheet" href="${escapeAttribute(this.extensionResource('/media/main.css'))}" type="text/css" media="screen" nonce="${nonce}">
|
||||
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self' data: ${this.webviewEditor.webview.cspSource}; script-src 'nonce-${nonce}'; style-src 'self' 'nonce-${nonce}';">
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src data: ${cspSource}; script-src 'nonce-${nonce}'; style-src ${cspSource} 'nonce-${nonce}';">
|
||||
<meta id="image-preview-settings" data-settings="${escapeAttribute(JSON.stringify(settings))}">
|
||||
</head>
|
||||
<body class="container image scale-to-fit loading">
|
||||
|
|
|
|||
Loading…
Reference in a new issue