Webview content is blocked on browser app due to sandbox issue: allow-same-origin and allow-scripts

[martin-fleck-at]

Bug Description:

I'm by far no expert on this topic but for some reason webviews are not loaded when accessed through the browser app. It seems to involve the overall content-security-policy of the main page (which seems fine as it allows the proper frame-src) and the sandbox arguments set on the iframe. Apparently, allow-same-origin and allow-scripts in combination raises a security concern as this combination allows the iframe to access the parent content and execute code: An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.

I know that VS Code set its webview up in a similar manner, cf. VS Code Webview vs Theia Webview. But they may not hit the same problem as I also do not encounter it on Electron.

Steps to Reproduce:

1. Start your Theia browser app locally and open 127.0.0.1:3000 (not localhost:3000 as that is working)
2. Install a VS Code extension with a webview, e.g., VS Code Messenger Developer Tool , and open the webview (in this case through command Developer: Open vscode-messenger devtools).
3. The webview stays empty and in the log we get the warning in Chrome or simply see an empty webview in Firefox.

Additional Information

• Operating System:
• Theia Version: