feat: Update NPSWebView with Content-Security-Policy meta tag

The NPSWebView has been updated to include a Content-Security-Policy meta tag in the head section of the HTML. This tag helps to improve the security of the web view by restricting the sources from which content can be loaded. The new meta tag specifies that only 'self' and 'unsafe-inline' sources are allowed for styles, and only 'self' sources are allowed for scripts. This helps to mitigate the risk of cross-site scripting (XSS) attacks.
microsoft · Jun 28, 2024 · ad9708b · ad9708b
1 parent 3a3e303
commit ad9708b
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/src/web/client/webViews/NPSWebView.ts b/src/web/client/webViews/NPSWebView.ts
@@ -55,7 +55,8 @@ export class NPSWebView {
                     <head>
                         <meta charset="UTF-8">
                         <meta name="viewport" content="width=device-width, initial-scale=1.0">
-                        <title>Test</title>
+                        <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self';">
+                        <title>Microsoft wants your feedback</title>
                         <script>${surveyScript}</script>
                     </head>
                     <body>
@@ -117,12 +118,6 @@ export class NPSWebView {
         }
     }
 
-    private extensionResourceUrl(...parts: string[]): vscode.Uri {
-        return this._webviewPanel.webview.asWebviewUri(
-            vscode.Uri.joinPath(this.extensionUri, ...parts)
-        );
-    }
-
     public static createOrShow(extensionUri: vscode.Uri): NPSWebView {
         const webview = vscode.window.createWebviewPanel(
             "testCESSurvey",