Skip to content

fix: resolve webview resource loading errors (ERR_ACCESS_DENIED and 404) #6685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: resolve webview resource loading errors (ERR_ACCESS_DENIED and 404) #6685

wants to merge 1 commit into from

Conversation

@roomote
Copy link
Contributor

@roomote roomote bot commented Aug 4, 2025
edited by ellipsis-dev bot
Loading

This PR fixes the webview resource loading errors reported in issue #6684 where JavaScript chunks and source maps were failing to load with ERR_ACCESS_DENIED and 404 errors.

Changes:

  • Removed 'strict-dynamic' from the script-src directive in the webview's CSP to allow dynamically imported chunks to load
  • Updated the Vite sourcemap plugin to create compatibility files (index.map.json and index.sourcemap)
  • Ensured all JS files have proper sourceMappingURL references

Testing:

  • Built the webview successfully with all chunks and source maps generated
  • Ran webview tests - all passing
  • Ran linting - no issues
  • Type checking passed

Fixes #6684

Important

Fixes webview resource loading errors by updating CSP and ensuring correct source map references in ClineProvider.ts and sourcemapPlugin.ts.

  • Behavior:
    • Removed 'strict-dynamic' from script-src in CSP in ClineProvider.ts to fix ERR_ACCESS_DENIED for dynamic imports.
    • Updated sourcemapPlugin.ts to ensure all JS files have correct sourceMappingURL references and create index.map.json and index.sourcemap for compatibility.
  • Testing:
    • Built webview with all chunks and source maps generated.
    • All webview tests passed.
    • Linting and type checking passed.

This description was created by Ellipsis for 5a44518. You can customize this summary. It will automatically update as commits are pushed.

@roomote
fix: resolve webview resource loading errors (ERR_ACCESS_DENIED and 404)
5a44518 
- Remove 'strict-dynamic' from CSP to allow dynamically loaded chunks
- Update sourcemap plugin to create compatibility files (index.map.json and index.sourcemap)
- Fix source map references in build output to use correct file extensions

Fixes #6684
@roomote roomote bot requested review from cte, jr and mrubens as code owners August 4, 2025 20:10
@dosubot dosubot bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Aug 4, 2025
@roomote roomote bot mentioned this pull request Aug 4, 2025
Closed
roomote[bot]
roomote bot commented Aug 4, 2025
View reviewed changes
Copy link
Contributor Author

@roomote roomote bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewing my own code is like debugging in a mirror - everything looks backwards but the bugs are still mine.

src/core/webview/ClineProvider.ts
<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
<meta name="theme-color" content="#000000">
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src ${webview.cspSource} data:; style-src ${webview.cspSource} 'unsafe-inline'; img-src ${webview.cspSource} https://storage.googleapis.com https://img.clerk.com data:; media-src ${webview.cspSource}; script-src ${webview.cspSource} 'wasm-unsafe-eval' 'nonce-${nonce}' https://us-assets.i.posthog.com 'strict-dynamic'; connect-src ${webview.cspSource} https://openrouter.ai https://api.requesty.ai https://us.i.posthog.com https://us-assets.i.posthog.com;">
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src ${webview.cspSource} data:; style-src ${webview.cspSource} 'unsafe-inline'; img-src ${webview.cspSource} https://storage.googleapis.com https://img.clerk.com data:; media-src ${webview.cspSource}; script-src ${webview.cspSource} 'wasm-unsafe-eval' 'nonce-${nonce}' https://us-assets.i.posthog.com; connect-src ${webview.cspSource} https://openrouter.ai https://api.requesty.ai https://us.i.posthog.com https://us-assets.i.posthog.com;">
Copy link
Contributor Author

@roomote roomote bot Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is removing 'strict-dynamic' from the CSP the only way to fix this? While it solves the immediate issue, it does weaken security slightly. Have you explored alternatives like adding nonces to dynamically imported scripts to maintain the stricter CSP?

webview-ui/src/vite-plugins/sourcemapPlugin.ts
const sourceMappingURLRegex = /\/\/# sourceMappingURL=.*/
if (sourceMappingURLRegex.test(jsContent)) {
// Update existing reference to use correct format
jsContent = jsContent.replace(sourceMappingURLRegex, `//# sourceMappingURL=${jsFile}.map`)
Copy link
Contributor Author

@roomote roomote bot Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex replacement here could fail silently. Consider adding validation to ensure the replacement was successful:
//# sourceMappingURL=.mapFailed to update source map reference in

webview-ui/src/vite-plugins/sourcemapPlugin.ts
if (fs.existsSync(indexJsPath) && fs.existsSync(indexMapPath)) {
// Copy index.js.map to index.map.json for compatibility
const indexMapJsonPath = path.join(assetsDir, "index.map.json")
fs.copyFileSync(indexMapPath, indexMapJsonPath)
Copy link
Contributor Author

@roomote roomote bot Aug 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we reduce duplication here by extracting the compatibility file creation into a helper function? Something like:
Created for compatibility

@hannesrudolph hannesrudolph added the Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. label Aug 4, 2025
@daniel-lxs
Copy link
Member

daniel-lxs commented Aug 6, 2025

The issue needs to be reproduced, closing for now

@daniel-lxs daniel-lxs closed this Aug 6, 2025
@github-project-automation github-project-automation bot moved this from New to Done in Roo Code Roadmap Aug 6, 2025
@github-project-automation github-project-automation bot moved this from Triage to Done in Roo Code Roadmap Aug 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

Assignees

No one assigned

Labels

bug Something isn't working Issue/PR - Triage New issue. Needs quick review to confirm validity and assign labels. size:M This PR changes 30-99 lines, ignoring generated files.

Projects

Roo Code Roadmap
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Webview Resources Fail to Load Due to ERR_ACCESS_DENIED and 404 Errors

4 participants

@daniel-lxs @hannesrudolph @roomote