Security token and cookie is sent over plain http;

[gbraad]

According to the documentation it is claimed the usage of security token from a file is more secure:

If you want your development environment to be even more secure, create a plaintext file with the desired token

ref

which is not the case, as you are still transmitting the information over HTTP to bind a session with a cookie. This can all be intercepted, upon negotiation, or from the cookie that gets sent in any follow-up request, called vscode-tkn.

GET / HTTP/1.1
Host: localhost:3000
Cookie: vscode-tkn=secrete

This could be safer... if this was all over HTTPS.

... but unlike the release notes suggest HTTPS is not enabled by default.

enable HTTPS and WebSocket Secure (wss) by default

ref

Am I missing something?

[akosyakov]

It is expected that you run in secure context, either localhost or https. Probably we should clarify it in README. Some features like webviews are not going to work otherwise.

[gbraad]

Why is a token mechanism added, as this is also the responsibility of something outside of vscode-server. this could easily be a frontend using a BASIC AUTH flow. I believe the current addtion of the token provides a false sense of security, especially in the current form and communication from the release notes: HTTPS is not enabled by default.

Note: as you can see from several issues that were filed, people expect the use of HTTPS or some security mechanism. I am afraid that this might be taken as a 'this is safe on HTTP' because a token is used.