Clean up webview click handler

2026-04-21 12:57:31 -05:00 · 2017-03-02 21:33:55 -08:00
parent 511ab6c441
commit 3b16023c41
3 changed files with 10 additions and 6 deletions
--- a/src/vs/workbench/parts/extensions/browser/extensionEditor.ts
+++ b/src/vs/workbench/parts/extensions/browser/extensionEditor.ts
@@ -47,13 +47,15 @@ import { Position } from 'vs/platform/editor/common/editor';
 import { IListService } from 'vs/platform/list/browser/listService';

 function renderBody(body: string): string {
+	const nonce = new Date().getTime() + '' + new Date().getMilliseconds();
 	return `<!DOCTYPE html>
 		<html>
 			<head>
 				<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
-				<link rel="stylesheet" type="text/css" href="${ require.toUrl('./media/markdown.css')}" >
+				<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src http: https: data:; media-src http: https: data:; script-src 'none'; style-src 'nonce-${nonce}'; child-src 'none'; frame-src 'none';">
+				<link rel="stylesheet" type="text/css" href="${require.toUrl('./media/markdown.css')}" nonce="${nonce}" >
 			</head>
-			<body>${ body}</body>
+			<body>${body}</body>
 		</html>`;
 }

--- a/src/vs/workbench/parts/html/browser/webview-pre.js
+++ b/src/vs/workbench/parts/html/browser/webview-pre.js
@@ -142,7 +142,7 @@ document.addEventListener("DOMContentLoaded", function (event) {

 			// bubble out link-clicks
 			if (newFrame.contentDocument.body) {
-				newFrame.contentDocument.body.addEventListener("click", handleInnerClick);
+				newFrame.contentDocument.body.addEventListener('click', handleInnerClick);
 			}

 			if (frame) {
@@ -176,4 +176,4 @@ document.addEventListener("DOMContentLoaded", function (event) {

 	// signal ready
 	ipcRenderer.sendToHost('webview-ready', process.pid);
-});
+});
--- a/src/vs/workbench/parts/update/electron-browser/releaseNotesEditor.ts
+++ b/src/vs/workbench/parts/update/electron-browser/releaseNotesEditor.ts
@@ -21,13 +21,15 @@ import { IModeService } from 'vs/editor/common/services/modeService';
 import { tokenizeToString } from 'vs/editor/common/modes/textToHtmlTokenizer';

 function renderBody(body: string): string {
+	const nonce = new Date().getTime() + '' + new Date().getMilliseconds();
 	return `<!DOCTYPE html>
 		<html>
 			<head>
 				<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
-				<link rel="stylesheet" type="text/css" href="${ require.toUrl('./media/markdown.css')}" >
+				<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src http: https: data:; media-src http: https: data:; script-src 'none'; style-src 'nonce-${nonce}'; child-src 'none'; frame-src 'none';">
+				<link rel="stylesheet" type="text/css" href="${require.toUrl('./media/markdown.css')}" nonce="${nonce}" >
 			</head>
-			<body>${ body}</body>
+			<body>${body}</body>
 		</html>`;
 }