Fix error loading webview service worker on Chrome (#8773)

Port of #8770 to the main
branch.

Author: jmcphers

build/secrets/.secrets.baseline

@@ -1711,7 +1711,7 @@
       {
         "type": "Base64 High Entropy String",
         "filename": "src/vs/workbench/contrib/webview/browser/pre/index.html",
-        "hashed_secret": "8f848d45aabb6a8b8da85a44943af7f622b9ade3",
+        "hashed_secret": "e7a023150065e25d74a3ef59bdedb85e9f3f42c5",
         "is_verified": false,
         "line_number": 9,
         "is_secret": false
@@ -1786,5 +1786,5 @@
       }
     ]
   },
-  "generated_at": "2025-07-30T21:02:03Z"
+  "generated_at": "2025-07-31T20:07:12Z"
 }

src/vs/server/node/remoteExtensionHostAgentServer.ts

@@ -164,23 +164,10 @@ class RemoteExtensionHostAgentServer extends Disposable implements IServerAPI {
 			return void res.end('OK');
 		}
 
-		// --- Start PWB ---
-		// Validate the connection token for all requests except the webview
-		// service worker.
-		//
-		// When the browser requests the service worker (loaded from index.html
-		// in browser/pre), it can omit the connection token cookie, causing the
-		// server to reject the request here.
-		//
-		// Upstream VS Code doesn't have this problem since the webview and
-		// service worker aren't served from this codepath at all but from a CDN.
-		if (pathname.indexOf('/service-worker.js') === -1) {
-			if (!httpRequestHasValidConnectionToken(this._connectionToken, req, parsedUrl)) {
-				// invalid connection token
-				return serveError(req, res, 403, `Forbidden.`);
-			}
+		if (!httpRequestHasValidConnectionToken(this._connectionToken, req, parsedUrl)) {
+			// invalid connection token
+			return serveError(req, res, 403, `Forbidden.`);
 		}
-		// --- End PWB ---
 
 		if (pathname === '/vscode-remote-resource') {
 			// Handle HTTP requests for resources rendered in the rich client (images, fonts, etc.)

src/vs/workbench/contrib/webview/browser/pre/index.html

@@ -6,7 +6,7 @@
 
 	<!-- Start PWB: serve same origin -->
 	<meta http-equiv="Content-Security-Policy"
-		content="default-src 'none'; script-src 'sha256-/qgqbHEZCrIqUOyxf4kxCym0Svcu9WOma3qHTPUldD4=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
+		content="default-src 'none'; script-src 'sha256-NPpZhEvmG5f+y/SzFPmY5Y/Iyy6dC4HC9nONtQig/h0=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 	<!-- End PWB: serve same origin -->
 
 	<!-- Disable pinch zooming -->
@@ -239,8 +239,15 @@
 				return reject(new Error('Service Workers are not enabled. Webviews will not work. Try disabling private/incognito mode.'));
 			}
 
+			// --- Start Positron ---
+			// Remove { type: 'module' } from service worker registration options. On Chrome, this causes
+			// the browser to make the request for the service worker without any cookies attached, which
+			// causes the request to fail.
+			//
+			// Upstream VS Code doesn't have this issue since it loads this file from a CDN.
 			const swPath = encodeURI(`service-worker.js?v=${expectedWorkerVersion}&vscode-resource-base-authority=${searchParams.get('vscode-resource-base-authority')}&remoteAuthority=${searchParams.get('remoteAuthority') ?? ''}`);
-			navigator.serviceWorker.register(swPath, { type: 'module' })
+			navigator.serviceWorker.register(swPath)
+			// --- End Positron ---
 				.then(async registration => {
 					/**
 					 * @param {MessageEvent} event