Specifying webview resources using VS Code APIs (#1118)

`vscode-resource:` -> `webview.asWebviewUri` for futureproofing.

Author: bryceitoc9

src/eventSchemas/commands/searchSchemas.ts

@@ -53,11 +53,12 @@ export async function createSearchSchemasWebView(params: {
         )
         const baseTemplateFn = _.template(BaseTemplates.SIMPLE_HTML)
         const searchTemplate = _.template(SchemaTemplates.SEARCH_TEMPLATE)
-        const loadScripts = ExtensionUtilities.getScriptsForHtml(['searchSchemasVue.js'])
-        const loadLibs = ExtensionUtilities.getLibrariesForHtml(['vue.min.js', 'lodash.min.js'])
-        const loadStylesheets = ExtensionUtilities.getCssForHtml(['searchSchemas.css'])
+        const loadScripts = ExtensionUtilities.getScriptsForHtml(['searchSchemasVue.js'], view.webview)
+        const loadLibs = ExtensionUtilities.getLibrariesForHtml(['vue.min.js', 'lodash.min.js'], view.webview)
+        const loadStylesheets = ExtensionUtilities.getCssForHtml(['searchSchemas.css'], view.webview)
 
         view.webview.html = baseTemplateFn({
+            cspSource: view.webview.cspSource,
             content: searchTemplate({
                 Header: getPageHeader(registryNames),
                 SearchInputPlaceholder: localize(

src/eventSchemas/templates/searchSchemasTemplates.ts

@@ -30,13 +30,13 @@ export class SchemaTemplates {
     <input type="submit" :disabled="downloadDisabled" v-on:click="downloadClicked" value="Download Code Bindings">
     </div>
     <% Libraries.forEach(function(lib) { %>
-        <script nonce="<%= lib.nonce %>" src="<%= lib.uri %>"></script>
+        <script src="<%= lib %>"></script>
     <% }); %>
     <% Scripts.forEach(function(scr) { %>
-        <script nonce="<%= scr.nonce %>" src="<%= scr.uri %>"></script>
+        <script src="<%= scr %>"></script>
     <% }); %>
     <% Stylesheets.forEach(function(scr) { %>
-        <link rel="stylesheet" type="text/css" href="<%= scr.uri %>">
+        <link rel="stylesheet" type="text/css" href="<%= scr %>">
     <% }); %>
     `
 }

src/feedback/commands/submitFeedback.ts

@@ -26,16 +26,18 @@ export function submitFeedback(listener?: (message: any) => Promise<void>): vsco
     const baseTemplateFn = _.template(BaseTemplates.SIMPLE_HTML)
 
     panel.webview.html = baseTemplateFn({
+        cspSource: panel.webview.cspSource,
         content: '<h1>Loading...</h1>',
     })
 
     const feedbackTemplateFn = _.template(FeedbackTemplates.SUBMIT_TEMPLATE)
 
-    const loadScripts = ExtensionUtilities.getScriptsForHtml(['submitFeedbackVue.js'])
-    const loadLibs = ExtensionUtilities.getLibrariesForHtml(['vue.min.js'])
-    const loadStylesheets = ExtensionUtilities.getCssForHtml(['submitFeedback.css'])
+    const loadScripts = ExtensionUtilities.getScriptsForHtml(['submitFeedbackVue.js'], panel.webview)
+    const loadLibs = ExtensionUtilities.getLibrariesForHtml(['vue.min.js'], panel.webview)
+    const loadStylesheets = ExtensionUtilities.getCssForHtml(['submitFeedback.css'], panel.webview)
 
     panel.webview.html = baseTemplateFn({
+        cspSource: panel.webview.cspSource,
         content: feedbackTemplateFn({
             Scripts: loadScripts,
             Libraries: loadLibs,

src/feedback/templates/feedbackTemplates.ts

@@ -37,13 +37,13 @@ export class FeedbackTemplates {
         </div>
     </div>
     <% Libraries.forEach(function(lib) { %>
-        <script nonce="<%= lib.nonce %>" src="<%= lib.uri %>"></script>
+        <script src="<%= lib %>"></script>
     <% }); %>
     <% Scripts.forEach(function(scr) { %>
-        <script nonce="<%= scr.nonce %>" src="<%= scr.uri %>"></script>
+        <script src="<%= scr %>"></script>
     <% }); %>
     <% Stylesheets.forEach(function(scr) { %>
-        <link rel="stylesheet" type="text/css" href="<%= scr.uri %>">
+        <link rel="stylesheet" type="text/css" href="<%= scr %>">
     <% }); %>
     `
 }

src/lambda/commands/invokeLambda.ts

@@ -63,6 +63,7 @@ export async function invokeLambda(params: {
         const baseTemplateFn = _.template(BaseTemplates.SIMPLE_HTML)
 
         view.webview.html = baseTemplateFn({
+            cspSource: view.webview.cspSource,
             content: '<h1>Loading...</h1>',
         })
 
@@ -92,10 +93,11 @@ export async function invokeLambda(params: {
                 })
             })
 
-            const loadScripts = ExtensionUtilities.getScriptsForHtml(['invokeLambdaVue.js'])
-            const loadLibs = ExtensionUtilities.getLibrariesForHtml(['vue.min.js'])
+            const loadScripts = ExtensionUtilities.getScriptsForHtml(['invokeLambdaVue.js'], view.webview)
+            const loadLibs = ExtensionUtilities.getLibrariesForHtml(['vue.min.js'], view.webview)
 
             view.webview.html = baseTemplateFn({
+                cspSource: view.webview.cspSource,
                 content: invokeTemplateFn({
                     FunctionName: functionNode.configuration.FunctionName,
                     InputSamples: inputs,

src/lambda/models/scriptResource.ts

@@ -35,10 +35,10 @@ export class LambdaTemplates {
         <br />
     </div>
     <% Libraries.forEach(function(lib) { %>
-        <script nonce="<%= lib.nonce %>" src="<%= lib.uri %>"></script>
+        <script src="<%= lib %>"></script>
     <% }); %>
     <% Scripts.forEach(function(scr) { %>
-        <script nonce="<%= scr.nonce %>" src="<%= scr.uri %>"></script>
+        <script src="<%= scr %>"></script>
     <% }); %>
     `
 }

src/lambda/templates/lambdaTemplates.ts

@@ -8,7 +8,6 @@ import * as os from 'os'
 import * as path from 'path'
 import * as vscode from 'vscode'
 import * as nls from 'vscode-nls'
-import { ScriptResource } from '../lambda/models/scriptResource'
 import { ext } from '../shared/extensionGlobals'
 import { mostRecentVersionKey, pluginVersion } from './constants'
 import { readFileAsString } from './filesystemUtilities'
@@ -17,41 +16,29 @@ import { getLogger } from './logger'
 const localize = nls.loadMessageBundle()
 
 export class ExtensionUtilities {
-    public static getLibrariesForHtml(names: string[]): ScriptResource[] {
+    public static getLibrariesForHtml(names: string[], webview: vscode.Webview): vscode.Uri[] {
         const basePath = path.join(ext.context.extensionPath, 'media', 'libs')
 
-        return this.resolveResourceURIs(basePath, names)
+        return this.resolveResourceURIs(basePath, names, webview)
     }
 
-    public static getScriptsForHtml(names: string[]): ScriptResource[] {
+    public static getScriptsForHtml(names: string[], webview: vscode.Webview): vscode.Uri[] {
         const basePath = path.join(ext.context.extensionPath, 'media', 'js')
 
-        return this.resolveResourceURIs(basePath, names)
+        return this.resolveResourceURIs(basePath, names, webview)
     }
 
-    public static getCssForHtml(names: string[]): ScriptResource[] {
+    public static getCssForHtml(names: string[], webview: vscode.Webview): vscode.Uri[] {
         const basePath = path.join(ext.context.extensionPath, 'media', 'css')
 
-        return this.resolveResourceURIs(basePath, names)
+        return this.resolveResourceURIs(basePath, names, webview)
     }
 
-    public static getNonce(): string {
-        let text = ''
-        const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
-        for (let i = 0; i < 32; i++) {
-            text += possible.charAt(Math.floor(Math.random() * possible.length))
-        }
-
-        return text
-    }
-
-    private static resolveResourceURIs(basePath: string, names: string[]): ScriptResource[] {
-        const scripts: ScriptResource[] = []
+    private static resolveResourceURIs(basePath: string, names: string[], webview: vscode.Webview): vscode.Uri[] {
+        const scripts: vscode.Uri[] = []
         _.forEach(names, scriptName => {
             const scriptPathOnDisk = vscode.Uri.file(path.join(basePath, scriptName))
-            const scriptUri = scriptPathOnDisk.with({ scheme: 'vscode-resource' })
-            const nonce = ExtensionUtilities.getNonce()
-            scripts.push({ nonce: nonce, uri: scriptUri })
+            scripts.push(webview.asWebviewUri(scriptPathOnDisk))
         })
 
         return scripts
@@ -110,17 +97,17 @@ export async function createQuickStartWebview(
     context: vscode.ExtensionContext,
     page: string = 'quickStart.html'
 ): Promise<vscode.WebviewPanel> {
-    const html = convertExtensionRootTokensToPath(
-        await readFileAsString(path.join(context.extensionPath, page)),
-        context.extensionPath
-    )
     // create hidden webview, leave it up to the caller to show
     const view = vscode.window.createWebviewPanel(
         'html',
         localize('AWS.command.quickStart.title', 'AWS Toolkit - Quick Start'),
         { viewColumn: vscode.ViewColumn.Active, preserveFocus: true }
     )
-    view.webview.html = html
+    view.webview.html = convertExtensionRootTokensToPath(
+        await readFileAsString(path.join(context.extensionPath, page)),
+        context.extensionPath,
+        view.webview
+    )
 
     return view
 }
@@ -132,8 +119,10 @@ export async function createQuickStartWebview(
  * @param text Text to scan
  * @param basePath Extension path (from extension context)
  */
-function convertExtensionRootTokensToPath(text: string, basePath: string): string {
-    return text.replace(/!!EXTENSIONROOT!!/g, `vscode-resource:${basePath}`)
+function convertExtensionRootTokensToPath(text: string, basePath: string, webview: vscode.Webview): string {
+    return text.replace(/!!EXTENSIONROOT!!(?<restOfUrl>[-a-zA-Z0-9@:%_\+.~#?&//=]*)/g, (matchedString, restOfUrl) => {
+        return webview.asWebviewUri(vscode.Uri.file(`${basePath}${restOfUrl}`)).toString()
+    })
 }
 
 /**

src/shared/extensionUtilities.ts

@@ -4,17 +4,20 @@
  */
 
 export class BaseTemplates {
-    /* tslint:disable max-line-length */
     public static readonly SIMPLE_HTML = `
         <html>
         <head>
             <meta charset="UTF-8">
             <meta name="viewport" content="width=device-width, initial-scale=1.0">
-            <meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src vscode-resource: https: data:; script-src vscode-resource: 'self' 'unsafe-eval'; style-src vscode-resource:;">
+            <meta http-equiv="Content-Security-Policy"
+                content="default-src 'none';
+                img-src <%= cspSource %> https: data:;
+                script-src <%= cspSource %> 'self' 'unsafe-eval';
+                style-src <%= cspSource %>;"
+            >
         </head>
             <body>
                 <%= content %>
             </body>
         </html>`
-    /* tslint:enable max-line-length */
 }

src/shared/templates/baseTemplates.ts

@@ -26,10 +26,14 @@ export async function showErrorDetails(element: ErrorNode) {
 
     try {
         const baseTemplateFn = _.template(BaseTemplates.SIMPLE_HTML)
-        view.webview.html = baseTemplateFn({ content: `<h1>${localize('AWS.message.loading', 'Loading...')}</h1>` })
+        view.webview.html = baseTemplateFn({
+            cspSource: view.webview.cspSource,
+            content: `<h1>${localize('AWS.message.loading', 'Loading...')}</h1>`,
+        })
 
         const showErrorDetailsTemplateFn = _.template(ErrorTemplates.SHOW_ERROR_DETAILS)
         view.webview.html = baseTemplateFn({
+            cspSource: view.webview.cspSource,
             content: showErrorDetailsTemplateFn(element),
         })
     } catch (err) {
@@ -39,7 +43,10 @@ export async function showErrorDetails(element: ErrorNode) {
         logger.error(error.message)
 
         const baseTemplateFn = _.template(BaseTemplates.SIMPLE_HTML)
-        view.webview.html = baseTemplateFn({ content: `Error displaying error details: ${error.message}` })
+        view.webview.html = baseTemplateFn({
+            cspSource: view.webview.cspSource,
+            content: `Error displaying error details: ${error.message}`,
+        })
     } finally {
         recordAwsShowExplorerErrorDetails({ result: showResult })
     }