From 67e4bc9ad67f0c0cf320a4b6ca57585ed9853f5a Mon Sep 17 00:00:00 2001
From: shmck <shawn.j.mckay@gmail.com>
Date: Sat, 13 Nov 2021 13:06:07 -0800
Subject: [PATCH] resolve sha hash exemptions

Signed-off-by: shmck <shawn.j.mckay@gmail.com>
---
 src/commands.ts                |  1 -
 src/services/webview/render.ts | 19 ++++++++++++++++---
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/commands.ts b/src/commands.ts
index 5b79dbc7..4991ba8f 100644
--- a/src/commands.ts
+++ b/src/commands.ts
@@ -33,7 +33,6 @@ export const send = (action: T.Action): void => {
 }
 
 export const createCommands = (commandProps: CreateCommandProps): { [key: string]: any } => {
-  console.log(commandProps)
   const { extensionPath, workspaceState } = commandProps
   // React panel webview
   let webview: any
diff --git a/src/services/webview/render.ts b/src/services/webview/render.ts
index b157b167..0feb3b84 100644
--- a/src/services/webview/render.ts
+++ b/src/services/webview/render.ts
@@ -27,6 +27,7 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
 
     // used for CSP
     const nonces: string[] = []
+    const hashes: string[] = []
 
     // generate vscode-resource build path uri
     const createUri = (_filePath: string): any => {
@@ -50,7 +51,12 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
     // support additional CSP exemptions when CodeRoad is embedded
     if (CONTENT_SECURITY_POLICY_EXEMPTIONS && CONTENT_SECURITY_POLICY_EXEMPTIONS.length) {
       for (const exemption of CONTENT_SECURITY_POLICY_EXEMPTIONS.split(' ')) {
-        nonces.push(exemption)
+        // sha hashes should not be prefixed with 'nonce-'
+        if (exemption.match(/^sha/)) {
+          hashes.push(exemption)
+        } else {
+          nonces.push(exemption)
+        }
       }
     }
 
@@ -71,17 +77,24 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
     }
 
     // set CSP (content security policy) to grant permission to local files
+    // while blocking unexpected malicious network requests
     const cspMeta: HTMLMetaElement = document.createElement('meta')
     cspMeta.httpEquiv = 'Content-Security-Policy'
+
+    const wrapInQuotes = (str: string) => `'${str}'`
+    const nonceString = nonces.map((nonce: string) => wrapInQuotes(`nonce-${nonce}`)).join(' ')
+    const hashString = hashes.map(wrapInQuotes).join(' ')
+
     cspMeta.content =
       [
         `default-src 'self'`,
+        `manifest-src ${hashString} 'self'`,
         `connect-src https: http:`,
         // @ts-ignore
         `font-src ${panel.webview.cspSource} http: https: data:`,
         // @ts-ignore
         `img-src ${panel.webview.cspSource} https:`,
-        `script-src ${nonces.map((nonce) => `'nonce-${nonce}'`).join(' ')} data:`,
+        `script-src ${nonceString} ${hashString} data:`,
         // @ts-ignore
         `style-src ${panel.webview.cspSource} https: 'self' 'unsafe-inline'`,
       ].join('; ') + ';'
@@ -92,7 +105,7 @@ async function render(panel: vscode.WebviewPanel, rootPath: string): Promise<voi
 
     // set view
     panel.webview.html = html
-  } catch (error) {
+  } catch (error: any) {
     onError(error)
     console.error(error)
   }