From e8e41571ac547ee0b6e67e240faa72dba73cb80c Mon Sep 17 00:00:00 2001 From: Sergey Kazantsev Date: Thu, 9 Jul 2026 13:52:45 +0000 Subject: [PATCH] fix: Harden extension host iframe message origin validation --- patches/web-server/webview.diff | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/patches/web-server/webview.diff b/patches/web-server/webview.diff index ef2896c6..d2ffc79c 100644 --- a/patches/web-server/webview.diff +++ b/patches/web-server/webview.diff @@ -86,17 +86,20 @@ Index: third-party-src/src/vs/workbench/services/extensions/worker/webWorkerExte =================================================================== --- third-party-src.orig/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html +++ third-party-src/src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html -@@ -25,6 +25,13 @@ - // validation not requested +@@ -15,7 +15,7 @@ + // DO NOT CHANGE the name of the worker without also updating js-debug, as that + // is used to filter targets to attach to (e.g. #232544) + const name = searchParams.get('debugged') ? 'DebugExtensionHostWorker' : 'ExtensionHostWorker'; +- const parentOrigin = searchParams.get('parentOrigin') || window.origin; ++ let parentOrigin = window.origin; + const salt = searchParams.get('salt'); + + (async function () { +@@ -25,6 +25,8 @@ return start(); } + -+ // It is safe to run if we are on the same host. -+ const parent = new URL(parentOrigin) -+ if (parent.hostname === hostname) { -+ return start() -+ } -+ ++ parentOrigin = searchParams.get('parentOrigin') || window.origin; if (!crypto.subtle) { // cannot validate, not running in a secure context return sendError(new Error(`Cannot validate in current context!`));