From ad9708b944105daec9166d2d1be9994066a57537 Mon Sep 17 00:00:00 2001
From: ramukaritik <ramukaritik@microsoft.com>
Date: Fri, 28 Jun 2024 12:13:48 +0530
Subject: [PATCH] feat: Update NPSWebView with Content-Security-Policy meta tag

The NPSWebView has been updated to include a Content-Security-Policy meta tag in the head section of the HTML. This tag helps to improve the security of the web view by restricting the sources from which content can be loaded. The new meta tag specifies that only 'self' and 'unsafe-inline' sources are allowed for styles, and only 'self' sources are allowed for scripts. This helps to mitigate the risk of cross-site scripting (XSS) attacks.
---
 src/web/client/webViews/NPSWebView.ts | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/src/web/client/webViews/NPSWebView.ts b/src/web/client/webViews/NPSWebView.ts
index 548eb31e..08fbaed5 100644
--- a/src/web/client/webViews/NPSWebView.ts
+++ b/src/web/client/webViews/NPSWebView.ts
@@ -55,7 +55,8 @@ export class NPSWebView {
                     <head>
                         <meta charset="UTF-8">
                         <meta name="viewport" content="width=device-width, initial-scale=1.0">
-                        <title>Test</title>
+                        <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self';">
+                        <title>Microsoft wants your feedback</title>
                         <script>${surveyScript}</script>
                     </head>
                     <body>
@@ -117,12 +118,6 @@ export class NPSWebView {
         }
     }
 
-    private extensionResourceUrl(...parts: string[]): vscode.Uri {
-        return this._webviewPanel.webview.asWebviewUri(
-            vscode.Uri.joinPath(this.extensionUri, ...parts)
-        );
-    }
-
     public static createOrShow(extensionUri: vscode.Uri): NPSWebView {
         const webview = vscode.window.createWebviewPanel(
             "testCESSurvey",