Skip to content

Commit fe9ca33

Browse files
mjbvzmjbvz
committed
Set Cross-Origin-Resource-Policy on webview resource responses
Fixes #239381 Because these requests are all served by the service worker, only the webview itself should be able to make them. Embedding pages can try accessing these resources but it won't go through the service worker
1 parent b40ad39 commit fe9ca33

File tree

1 file changed

+14
-9
lines changed

1 file changed

+14
-9
lines changed

src/vs/workbench/contrib/webview/browser/pre/service-worker.js

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -286,10 +286,20 @@ async function processResourceRequest(
286286
return requestTimeout();
287287
}
288288

289+
/** @type {Record<string, string>} */
290+
const accessControlHeaders = {
291+
'Access-Control-Allow-Origin': '*',
292+
'Cross-Origin-Resource-Policy': 'cross-origin',
293+
};
294+
289295
const entry = result.value;
290296
if (entry.status === 304) { // Not modified
291297
if (cachedResponse) {
292-
return cachedResponse.clone();
298+
const r = cachedResponse.clone();
299+
for (const [key, value] of Object.entries(accessControlHeaders)) {
300+
r.headers.set(key, value);
301+
}
302+
return r;
293303
} else {
294304
throw new Error('No cache found');
295305
}
@@ -303,11 +313,6 @@ async function processResourceRequest(
303313
return notFound();
304314
}
305315

306-
/** @type {Record<string, string>} */
307-
const commonHeaders = {
308-
'Access-Control-Allow-Origin': '*',
309-
};
310-
311316
const byteLength = entry.data.byteLength;
312317

313318
const range = event.request.headers.get('range');
@@ -323,7 +328,7 @@ async function processResourceRequest(
323328
return new Response(entry.data.slice(start, end + 1), {
324329
status: 206,
325330
headers: {
326-
...commonHeaders,
331+
...accessControlHeaders,
327332
'Content-range': `bytes 0-${end}/${byteLength}`,
328333
}
329334
});
@@ -332,7 +337,7 @@ async function processResourceRequest(
332337
return new Response(null, {
333338
status: 416,
334339
headers: {
335-
...commonHeaders,
340+
...accessControlHeaders,
336341
'Content-range': `*/${byteLength}`
337342
}
338343
});
@@ -341,7 +346,7 @@ async function processResourceRequest(
341346

342347
/** @type {Record<string, string>} */
343348
const headers = {
344-
...commonHeaders,
349+
...accessControlHeaders,
345350
'Content-Type': entry.mime,
346351
'Content-Length': byteLength.toString(),
347352
};

0 commit comments

Comments
 (0)