feat(Sky): Add VS Code CDN and file scheme CSP permissions

NikolaRHristov · NikolaRHristov · commit 736ca262610b · 2026-04-10T16:29:44.000+03:00
Add Content Security Policy permissions required for VS Code extension host and webview functionality:
1. frame-src: Allow vscode-webview.net, *.vscode-cdn.net, *.vscode-webview.net for extension iframe loading
2. script-src/style-src/connect-src: Allow vscode-file: and vscode-file://vscode-app for local file access in extensions
3. connect-src: Allow blob: and ipc: for extension host communication

Additionally, implement a Blob constructor patch in Workbench.ts that intercepts VS Code worker bootstrap blobs and injects the __name shim. This ensures extension host blob workers have access to esbuild's __name helper without requiring external fetches.

These changes enable VS Code extensions to load properly from CDN sources and access local file resources.
diff --git a/Source/Workbench/Electron/Workbench.ts b/Source/Workbench/Electron/Workbench.ts
@@ -77,7 +77,8 @@ if (typeof window.requestIdleCallback !== "function") {
 		return setTimeout(() => {
 			Callback({
 				didTimeout: Timeout <= 0,
-				timeRemaining: () => Math.max(0, Timeout - (Date.now() - Start)),
+				timeRemaining: () =>
+					Math.max(0, Timeout - (Date.now() - Start)),
 			});
 		}, Timeout) as unknown as number;
 	};
@@ -106,6 +107,34 @@ if (typeof (globalThis as any).__name !== "function") {
 	};
 }
 
+// Inject __name into blob workers via Blob constructor patch (zero-cost).
+// VS Code's getWorkerBootstrapUrl builds blobs from string arrays. We intercept
+// Blob creation and prepend the __name shim to any application/javascript blob
+// that contains the VS Code worker marker. No XHR, no re-fetch — just string
+// prepend at construction time.
+{
+	const OriginalBlob = globalThis.Blob;
+	const NameShim =
+		"var __defProp=Object.defineProperty;var __name=(t,v)=>__defProp(t,'name',{value:v,configurable:true});\n";
+
+	(globalThis as any).Blob = function PatchedBlob(
+		Parts?: BlobPart[],
+		Options?: BlobPropertyBag,
+	) {
+		if (
+			Options?.type === "application/javascript" &&
+			Parts?.length &&
+			typeof Parts[0] === "string" &&
+			Parts[0].includes("_VSCODE_NLS_MESSAGES")
+		) {
+			// This is a VS Code worker bootstrap blob — prepend __name shim
+			Parts = [NameShim, ...Parts];
+		}
+		return new OriginalBlob(Parts, Options);
+	} as unknown as typeof Blob;
+	(globalThis as any).Blob.prototype = OriginalBlob.prototype;
+}
+
 try {
 	const WorkbenchUrl =
 		"/Static/Application/vs/code/electron-browser/workbench/workbench.js";
diff --git a/Source/pages/Browser.astro b/Source/pages/Browser.astro
@@ -82,6 +82,9 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 			"frame-src": [
 				"'self'",
 				"vscode-webview:",
+				"vscode-webview.net",
+				"*.vscode-cdn.net",
+				"*.vscode-webview.net",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
@@ -90,17 +93,24 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 				"'unsafe-inline'",
 				"'unsafe-eval'",
 				"blob:",
+				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
 			"style-src": [
 				"'self'",
 				"'unsafe-inline'",
+				"vscode-file:",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
 			"connect-src": [
 				"'self'",
+				"blob:",
+				"ipc:",
+				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 				"wss://tauri.localhost",
@@ -136,6 +146,9 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 			"frame-src": [
 				"'self'",
 				"vscode-webview:",
+				"vscode-webview.net",
+				"*.vscode-cdn.net",
+				"*.vscode-webview.net",
 				"http://localhost:*",
 				"https://tauri.localhost",
 				"https://*.vscode-cdn.net",
diff --git a/Source/pages/BrowserProxy.astro b/Source/pages/BrowserProxy.astro
@@ -82,6 +82,9 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 			"frame-src": [
 				"'self'",
 				"vscode-webview:",
+				"vscode-webview.net",
+				"*.vscode-cdn.net",
+				"*.vscode-webview.net",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
@@ -90,17 +93,24 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 				"'unsafe-inline'",
 				"'unsafe-eval'",
 				"blob:",
+				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
 			"style-src": [
 				"'self'",
 				"'unsafe-inline'",
+				"vscode-file:",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
 			"connect-src": [
 				"'self'",
+				"blob:",
+				"ipc:",
+				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 				"wss://tauri.localhost",
diff --git a/Source/pages/Electron.astro b/Source/pages/Electron.astro
@@ -82,6 +82,9 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 			"frame-src": [
 				"'self'",
 				"vscode-webview:",
+				"vscode-webview.net",
+				"*.vscode-cdn.net",
+				"*.vscode-webview.net",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
@@ -91,6 +94,7 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 				"'unsafe-eval'",
 				"blob:",
 				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
@@ -103,8 +107,10 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 			],
 			"connect-src": [
 				"'self'",
+				"blob:",
 				"ipc:",
 				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 				"wss://tauri.localhost",
diff --git a/Source/pages/Mountain.astro b/Source/pages/Mountain.astro
@@ -82,6 +82,9 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 			"frame-src": [
 				"'self'",
 				"vscode-webview:",
+				"vscode-webview.net",
+				"*.vscode-cdn.net",
+				"*.vscode-webview.net",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
@@ -90,17 +93,24 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 				"'unsafe-inline'",
 				"'unsafe-eval'",
 				"blob:",
+				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
 			"style-src": [
 				"'self'",
 				"'unsafe-inline'",
+				"vscode-file:",
 				"http://localhost:*",
 				"https://tauri.localhost",
 			],
 			"connect-src": [
 				"'self'",
+				"blob:",
+				"ipc:",
+				"vscode-file:",
+				"vscode-file://vscode-app",
 				"http://localhost:*",
 				"https://tauri.localhost",
 				"wss://tauri.localhost",
@@ -163,14 +173,27 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 
 	<!-- Inject folderUri from URL into workbench config (must run before module scripts) -->
 	<script is:inline slot="Meta">
-		(function() {
-			var FolderParam = new URLSearchParams(window.location.search).get("folder");
+		(function () {
+			var FolderParam = new URLSearchParams(window.location.search).get(
+				"folder",
+			);
 			if (FolderParam) {
-				var Element = document.getElementById("vscode-workbench-web-configuration");
+				var Element = document.getElementById(
+					"vscode-workbench-web-configuration",
+				);
 				if (Element) {
-					var Settings = JSON.parse(Element.getAttribute("data-settings") || "{}");
-					Settings.folderUri = { scheme: "file", path: FolderParam, authority: "" };
-					Element.setAttribute("data-settings", JSON.stringify(Settings));
+					var Settings = JSON.parse(
+						Element.getAttribute("data-settings") || "{}",
+					);
+					Settings.folderUri = {
+						scheme: "file",
+						path: FolderParam,
+						authority: "",
+					};
+					Element.setAttribute(
+						"data-settings",
+						JSON.stringify(Settings),
+					);
 				}
 			}
 		})();
diff --git a/Source/pages/index.astro b/Source/pages/index.astro
@@ -26,7 +26,6 @@ import MountainWorkbench from "../Workbench/Mountain.astro";
 
 // Environment detection ONLY
 const Bundle = process.env["Bundle"] === "true";
-const Browser = process.env["Browser"] === "true";
 const Mountain = process.env["Mountain"] === "true";
 const Electron = process.env["Electron"] === "true";
 const BrowserProxy = process.env["BrowserProxy"] === "true";
@@ -35,11 +34,12 @@ const BrowserProxy = process.env["BrowserProxy"] === "true";
 // Mountain uses the Electron workbench — it has the full IPC chain
 // (TauriMainProcessService → Mountain WindServiceHandlers → tokio::fs)
 // for real filesystem access. The browser workbench uses IndexedDB.
-const WorkbenchType = Electron || Mountain
-	? "Electron"
-	: BrowserProxy
-		? "BrowserProxy"
-		: "Browser"; // Default, not null
+const WorkbenchType =
+	Electron || Mountain
+		? "Electron"
+		: BrowserProxy
+			? "BrowserProxy"
+			: "Browser"; // Default, not null
 
 // Determine embedder identifier
 const EmbedderId = Electron || Mountain ? "desktop" : "browser";
@@ -93,6 +93,7 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 					"'unsafe-eval'",
 					"blob:",
 					"vscode-file:",
+					"vscode-file://vscode-app",
 					"http://localhost:*",
 					"https://tauri.localhost",
 				],
@@ -107,6 +108,7 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 					"'self'",
 					"ipc:",
 					"vscode-file:",
+					"vscode-file://vscode-app",
 					"http://localhost:*",
 					"https://tauri.localhost",
 					"wss://tauri.localhost",
@@ -198,14 +200,27 @@ const Worker = `/Worker.js?BASE_REMOTE=${encodeURIComponent(Astro.url.origin)}`;
 
 	<!-- Inject folderUri from URL into workbench config (must run before module scripts) -->
 	<script is:inline slot="Meta">
-		(function() {
-			var FolderParam = new URLSearchParams(window.location.search).get("folder");
+		(function () {
+			var FolderParam = new URLSearchParams(window.location.search).get(
+				"folder",
+			);
 			if (FolderParam) {
-				var Element = document.getElementById("vscode-workbench-web-configuration");
+				var Element = document.getElementById(
+					"vscode-workbench-web-configuration",
+				);
 				if (Element) {
-					var Settings = JSON.parse(Element.getAttribute("data-settings") || "{}");
-					Settings.folderUri = { scheme: "file", path: FolderParam, authority: "" };
-					Element.setAttribute("data-settings", JSON.stringify(Settings));
+					var Settings = JSON.parse(
+						Element.getAttribute("data-settings") || "{}",
+					);
+					Settings.folderUri = {
+						scheme: "file",
+						path: FolderParam,
+						authority: "",
+					};
+					Element.setAttribute(
+						"data-settings",
+						JSON.stringify(Settings),
+					);
 				}
 			}
 		})();
