vsix extensions that utilise webviews are blocked by CSP

[bassforce86]

Similar to #1530

vscode-webview.net is blocked by the current CSP, could it be considered to be adding to the allowlist?

Refused to load the stylesheet 'https://vscode-remote+localhost.vscode-resource.vscode-webview.net:1337/<$HOME>/.local/share/code-server/extensions/mhutchie.git-graph-1.30.0/media/out.min.css' 
because it violates the following Content Security Policy directive: "style-src https://*.vscode-webview.net 'unsafe-inline'". 
Note that 'style-src-elem' was not explicitly set, so 'style-src' is used as a fallback.

Extension issue was found against: mhutchie/vscode-git-graph#535

Reproduction:

• run code-server locally via any port
• open code-server in Chrome / Firefox
• install git-graph extension
• open a folder with a git project open (so some history is shown)
• open git graph
• see that the view is broken. (caused by CSP blocking out.min.css)

Code Server Info:

code-server: v3.11.1
VS Code: v1.57.1
Commit: c680aae
Date: 2021-08-06T18:33:37Z
Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.31 Safari/537.36

[jsjoeio]

Yeah, I think when we landed #3895 it caused this issue.

Thanks for opening and providing repro steps! We'll take a look.

[bassforce86]

Without pulling locally, i'd hazard a guess that the initial resource check it causing this issue:
https://github.com/cdr/code-server/blob/67b23aaa1da46da4e2a10e3a6bd5e7127d79d284/lib/vscode/src/vs/workbench/api/common/shared/webview.ts#L46

as almost all resources will - at some point, reference http / https which I suspect is causing the authorities not to be loaded because of the return early.

[jsjoeio]

Thanks for digging into that! That sounds likely, but I'll have to investigate to double-check. Hoping to get to this soon 🙏

[jsjoeio]

Fixed by #4131