CSP woes

[pelikhan]

I was wondering if there was a sample/example of webviewpanel implementation with CSP (Content Security Policy) policies applied to the HTML. I am seeing some rogue styles being inject by lit-html. I have tried to set window.litNonce so that the style element gets the 'nonce' attribute but this did not seem to fix the issue.

[bendera]

Here is a demo extension that works with csp headers, although the "unsafe-inline" is not too sophisticated.
https://github.com/vscode-elements/vscode-vscwe-demo/blob/master/src/extension.ts

What is the csp meta tag have you set? What do you mean by rouge styles? Do they come from the library? If yes, which ones? (I'm guessing it's related to the Icon component.)

If I understand the documentation correctly, the 'litNonce' only relevant to the older browsers.
https://lit.dev/docs/api/ReactiveElement/#ReactiveElement.styles

I created a demo to test a strict CSP:

<!doctype html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta
      http-equiv="Content-Security-Policy"
      content="default-src 'self'; script-src 'nonce-abc123'; script-src-elem 'nonce-abc123'; font-src 'self' data: 'nonce-abc123'"
    />
    <title>VSCode Elements</title>
    <link
      rel="stylesheet"
      href="/node_modules/@vscode/codicons/dist/codicon.css"
      id="vscode-codicon-stylesheet"
      nonce="abc123"
    />
    <script
      type="module"
      src="/node_modules/@vscode-elements/webview-playground/dist/index.js"
      nonce="abc123"
    ></script>
    <script nonce="abc123">
      window.litNonce = 'abc123';
    </script>
    <script type="module" src="/dist/main.js" nonce="abc123"></script>
  </head>

  <body>
    <h1>Using nonce property</h1>
    <main>
      <vscode-demo>
        <vscode-icon name="account"></vscode-icon>
        <vscode-icon name="loading" size="32" spin spin-duration="3"></vscode-icon>
        <vscode-button>Hello World</vscode-button>
        <vscode-button secondary>Hello World</vscode-button>
      </vscode-demo>
    </main>
  </body>
</html>

This is the rendered page:

I got a bunch of errors:

• The buttons are perfect. I guess it's because the Lit uses constructed styles and they are not affected.
• Webview Playground styles are blocked by CSP because it uses style tags. (I should fix that.)
• Icon component works partially. Inline styles and style tags are blocked by CSP.

This is all I currently know about CSP. I hope it will be thought-provoking.

[pelikhan]

My current styleSrc is style-src 'unsafe-inline' ${cspUrl} ${cspSource}; where cspSource is the webview.cspSource and cspUrl is my local server. I think if we can pass a nonce to the elements that trickle down all the way to the code that injects style we should be good.
Or other option is to avoid injecting styles all together and have a static css file.

https://github.com/microsoft/genaiscript/blob/main/packages/vscode/src/webview.ts#L42

[bendera]

I've resolved all the CSP related issues in the Icon component. You can also check the applied CSP policies in the dev HTML.
https://github.com/vscode-elements/elements/pull/264/files
You can try it out by installing the pre-release version. (npm i @vscode-elements/elements@next)

I'll go through all the components and fix any problematic ones. Could you possibly tell me which ones violate the CSP policies in your environment?

I've also made the Webview Playground CSP compatible.

[bendera]

Oh, and ignore this part - it has no effect:

<script nonce="abc123">
      window.litNonce = 'abc123';
      window.vscodeWebviewPlaygroundNonce = 'abc123';
</script>

[pelikhan]

I'm seeing:

[bendera]

Sorry, I made a mistake. The window.vscodeWebviewPlaygroundNonce = 'abc123'; actually does have effect.

I'll get back to you with the solution.

[pelikhan]

getting closer!

[bendera]

Check the latest pre-release.

[pelikhan]

a few more style updates. should the vscode-elements have the nonce attribute?

[bendera]

And add img-src data:; to the csp meta tag.

[pelikhan]

testing

[pelikhan]

it's raising issues when injecting a style.

I suspect adding a nonce attribute to the created style would fix the csp issue.

[pelikhan]

[bendera]

Set nonce attribute/property for <style>, <script> and stylesheet <link> tags. Change the style property instead of the attribute, eg.:
elem.style.fontWeight = 'bold';

This is my experience from the past few days.

[pelikhan]

i am using the react wrappers btw

[bendera]

From React 19 you don't have to.
https://vscode-elements.github.io/guides/framework-integrations/react/#recent-react-version

I don't think react wrapper even works with React 19. Lsat time when i tried to upgrade the react dependency I got a bunch off typescritp errors.

[pelikhan]

yes i discovered the doc on react 19 later... i should have read them more carefully. I think what threw me off was that you need to copy the definition file as well to get typescript to work (yes, i should have read the docs).

I am attaching the "nonce" value to the elements like <vscode-collapsible nonce="..."> but it's not having it. I noticed that the nonce attribute is not present in the final hTML

[bendera]

yes i discovered the doc on react 19 later... i should have read them more carefully. I think what threw me off was that you need to copy the definition file as well to get typescript to work (yes, i should have read the docs).

If you have a suggestion, PRs are welcome. :)

I am attaching the "nonce" value to the elements like but it's not having it. I noticed that the nonce attribute is not present in the final hTML

Nonce can only be used for <script> and <style>.
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#nonces

[pelikhan]

If you have a suggestion, PRs are welcome. :)

Will do. At this point, it's probably just a matter of swapping the react19 paragraph up.

For the nonce, i somehow need to communicate the nonce to the vscode-elements library so that it adds it to the dynamic style element.

[bendera]

Fortunately, Lit does not use style elements. Component styles are constructed stylesheets; in older browsers, the <style> tag is used as a fallback, but this is not the case in webview. Inline style attributes are blocked by CSP, but I am continuously removing them. The Icon component is the only one where a nonce can be used. It includes codicon.css via a <link> tag, but the nonce value can be copied from the page DOM. (Currently, you need to include codicon.css in the page DOM with a specific ID.)