Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow unsecure connections to localhost for web extensions #138780

Closed
elringus opened this issue Dec 9, 2021 · 5 comments
Closed

Allow unsecure connections to localhost for web extensions #138780

elringus opened this issue Dec 9, 2021 · 5 comments
Assignees
@jrieken @alexdima
Labels
extensions Issues concerning extensions feature-request Request for new features or functionality verification-needed Verification of issue is requested verified Verification succeeded web Issues related to running VSCode in the web
Milestone
January 2022

Comments

@elringus
Copy link

elringus commented Dec 9, 2021
edited
Loading

I'm developing an extension, which is connecting to a local websocket server to provide additional metadata and utilities for the edited documents. The extension is currently running on .NET runtime and works fine via unsecured websocket connection.

I want to migrate the extension to the browser environment, so it can work on both vscode.dev and standalone VS Code instances.

I was able to make the extension work in browser. Again, it's using unsecure websocket connection to local server and works fine.

However, the same thing doesn't work in standalone mode, where unsecure connections to localhost are not allowed.

Given it's allowed in all the other cases (regular extensions, web extensions in browser), I wonder if it's possible to also allow it for web extensions running in standalone.
@elringus
Copy link
Author

elringus commented Dec 11, 2021
edited
Loading

The use case for this is actually pretty wide. Imagine a scenario where you need inter-process communication between a VS Code web extension and a third-party app installed locally on the user machine (eg, LSP server or debugger). We can't expect each user to install a certificate in this case. For the same reason, unsecured connections to localhost are allowed by default in browsers.

@elringus elringus changed the title Allow unsecure connections to local websocket server for web extensions running in standalone VS Code instance Allow unsecure connections to local websocket server for web extensions Dec 13, 2021
@elringus elringus changed the title Allow unsecure connections to local websocket server for web extensions Allow unsecure connections to localhost for web extensions Dec 13, 2021
@elringus
Copy link
Author

Just noticed that when running vscode.dev under Chrome the unsecured connections are not allowed as well. They are somehow working in Firefox though, which made me initially think that the restriction was only for standalone mode.

I've checked the modern browsers (outside of VS Code) and they are all allowing unsecured connections to localhost by default (even when served from https domain); eg, from MDN secure context docs:

If I understand correctly, encrypting connections to localhost doesn't really benefit security: https://palant.info/2019/04/11/bogus-security-mechanisms-encrypting-localhost-traffic/

Really hope VS Code will lift the restriction, as it makes very troublesome (if at all possible) to talk with local apps from web extensions.

@elringus
Copy link
Author

@jrieken @alexdima sorry for the ping, just wanted to make sure the topic is not lost. Can you please let know if lifting the restriction is something you may consider or is it out of the question?

@jrieken
Copy link
Member

jrieken commented Dec 14, 2021

@alexdima Maybe it's sufficient to allow the combination of localhost and unsecure web sockets, like Content-Security-Policy: connect-src ws://localhost

jrieken added a commit that referenced this issue Dec 14, 2021
@jrieken
from the worker extension host allow to connect to localhost and 127.…
12b1d5c 
…0.0.1 via http and ws protocols, #138780
sourcegraph-bot pushed a commit to sgtest/megarepo that referenced this issue Dec 14, 2021
vscode: from the worker extension host allow to connect to localhost …
6d931a9 
…and 127.0.0.1 via http and ws protocols, microsoft/vscode#138780

Commit: 12b1d5c06dc8198e7d0e87cad2fefc918a483d29
@jrieken jrieken added extensions Issues concerning extensions feature-request Request for new features or functionality web Issues related to running VSCode in the web labels Dec 14, 2021
@jrieken jrieken added this to the January 2022 milestone Dec 14, 2021
@jrieken
Copy link
Member

jrieken commented Dec 14, 2021

This should work with tomorrows insiders

@jrieken jrieken closed this as completed Dec 14, 2021
@elringus elringus mentioned this issue Jan 4, 2022
Open
@hediet hediet added the verification-needed Verification of issue is requested label Jan 25, 2022
@tanhakabir tanhakabir added the verification-steps-needed Steps to verify are needed for verification label Jan 26, 2022
@connor4312 connor4312 added verified Verification succeeded and removed verification-steps-needed Steps to verify are needed for verification labels Jan 26, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Jan 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jrieken jrieken

@alexdima alexdima

Labels
extensions Issues concerning extensions feature-request Request for new features or functionality verification-needed Verification of issue is requested verified Verification succeeded web Issues related to running VSCode in the web
Projects
None yet
Milestone
January 2022
Development

No branches or pull requests
6 participants
@jrieken @elringus @connor4312 @hediet @alexdima @tanhakabir