openvscode-server icon indicating copy to clipboard operation
openvscode-server copied to clipboard
verified publisher icon gitpod-io

Loading images causes CSP violation in Firefox

Open fritterhoff opened this issue 4 years ago • 9 comments

Does this issue occur when all extensions are disabled?: Yes

  • VS Code Version: grafik
  • OS Version: Debian 11 + Docker gitpod/openvscode-server
  • Browser: Only Firefox (tested with version 93.0) Steps to Reproduce:
  1. Launch docker container + ssl reverse proxy in front (e.g. traefik/nginx/caddy)
  2. Try to open an image (e. g. an simple png)
  3. Loading image fails due to CSP violation

grafik

fritterhoff avatar Oct 17 '21 10:10 fritterhoff

Thanks for reporting and looking into this, @fritterhoff, I will try to see what the problem is because it seems a bit weird to me that it's a Firefox-specific issue.

filiptronicek avatar Oct 26 '21 10:10 filiptronicek

Relevant docs: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src

filiptronicek avatar Oct 26 '21 10:10 filiptronicek

Great thanks! Please let me know if you need any further information.

fritterhoff avatar Oct 26 '21 17:10 fritterhoff

Can confirm this is happening, and can confirm it is only happening on Firefox (at least tested that it is not happening on the Brave browser).

filiptronicek avatar Nov 08 '21 20:11 filiptronicek

The error in full:

Content Security Policy: The page’s settings blocked the loading of a resource at https://8000-chocolate-snake-wvx1bgot.ws-eu18.gitpod.io/static/out/vs/workbench/contrib/webview/browser/pre/service-worker.js?id=c5e068c2-8916-4e0c-a0b1-7d136f165c5e&swVersion=2&extensionId=vscode.image-preview&platform=browser&vscode-resource-base-authority=vscode-resource.vscode-webview.net&parentOrigin=https%3A%2F%2F8000-chocolate-snake-wvx1bgot.ws-eu18.gitpod.io (“img-src”).

filiptronicek avatar Nov 08 '21 21:11 filiptronicek

Even after removing the whole CSP header the image still won't load 😕 (https://github.com/microsoft/vscode/blob/6f0346f2cb31222ff99df02a50e1d6be08aec782/src/vs/server/webClientServer.ts#L229)

filiptronicek avatar Nov 08 '21 21:11 filiptronicek

If you disable the csp policies (in the about:config) it works so the bug really comes from CSP. Sadly I neither have experience in the development of vs code nor in debugging the CSP problems. My (stupid) idea would have been to enable the csp reporting (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri) so we could debug what's going wrong? What do you think @filiptronicek?

fritterhoff avatar Nov 09 '21 17:11 fritterhoff

Any update on this issue?

fritterhoff avatar Nov 27 '21 06:11 fritterhoff

Firefox has a bug in its "Advanced Tracking Protection" that prevents loading of some resources in VS Code. The only workaround at this point is to disable it.

Mozilla automatically disables ATP for vscode.dev, but since you're most likely running on your own domain (or localhost), the Mozilla workaround doesn't do the trick for you.

https://bugzilla.mozilla.org/show_bug.cgi?id=1725216

imphil avatar May 17 '22 15:05 imphil