Add getNonce function to generate webview nonces

5b8ce768 · Matt Bierner · 31185ce9 · 5b8ce768 · 5b8ce768 · 5b8ce768
4 changed file
--- a/extensions/image-preview/src/preview.ts
+++ b/extensions/image-preview/src/preview.ts
@@ -210,7 +210,7 @@ class Preview extends Disposable {
 			src: await this.getResourcePath(this.webviewEditor, this.resource, version),
 		};

-		const nonce = Date.now().toString();
+		const nonce = getNonce();

 		const cspSource = this.webviewEditor.webview.cspSource;
 		return /* html */`<!DOCTYPE html>
@@ -265,3 +265,12 @@ class Preview extends Disposable {
 function escapeAttribute(value: string | vscode.Uri): string {
 	return value.toString().replace(/"/g, '&quot;');
 }
+
+function getNonce() {
+	let text = '';
+	const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+	for (let i = 0; i < 64; i++) {
+		text += possible.charAt(Math.floor(Math.random() * possible.length));
+	}
+	return text;
+}
--- a/extensions/markdown-language-features/src/features/previewContentProvider.ts
+++ b/extensions/markdown-language-features/src/features/previewContentProvider.ts
@@ -78,7 +78,7 @@ export class MarkdownContentProvider {
 		this.logger.log('provideTextDocumentContent', initialData);

 		// Content Security Policy
-		const nonce = new Date().getTime() + '' + new Date().getMilliseconds();
+		const nonce = getNonce();
 		const csp = this.getCsp(resourceProvider, sourceUri, nonce);

 		const body = await this.engine.render(markdownDocument, resourceProvider);
@@ -228,3 +228,12 @@ export class MarkdownContentProvider {
 		}
 	}
 }
+
+function getNonce() {
+	let text = '';
+	const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+	for (let i = 0; i < 64; i++) {
+		text += possible.charAt(Math.floor(Math.random() * possible.length));
+	}
+	return text;
+}
--- a/extensions/simple-browser/src/simpleBrowserView.ts
+++ b/extensions/simple-browser/src/simpleBrowserView.ts
@@ -85,7 +85,7 @@ export class SimpleBrowserView extends Disposable {
 	private getHtml(url: string) {
 		const configuration = vscode.workspace.getConfiguration('simpleBrowser');

-		const nonce = new Date().getTime() + '' + new Date().getMilliseconds();
+		const nonce = getNonce();

 		const mainJs = this.extensionResourceUrl('media', 'index.js');
 		const mainCss = this.extensionResourceUrl('media', 'main.css');
@@ -154,3 +154,13 @@ export class SimpleBrowserView extends Disposable {
 function escapeAttribute(value: string | vscode.Uri): string {
 	return value.toString().replace(/"/g, '&quot;');
 }
+
+
+function getNonce() {
+	let text = '';
+	const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+	for (let i = 0; i < 64; i++) {
+		text += possible.charAt(Math.floor(Math.random() * possible.length));
+	}
+	return text;
+}
--- a/extensions/vscode-custom-editor-tests/src/customTextEditor.ts
+++ b/extensions/vscode-custom-editor-tests/src/customTextEditor.ts
@@ -133,7 +133,7 @@ class AbcEditor extends Disposable {
 	private get html() {
 		const contentRoot = path.join(this._extensionPath, 'customEditorMedia');
 		const scriptUri = vscode.Uri.file(path.join(contentRoot, 'textEditor.js'));
-		const nonce = Date.now() + '';
+		const nonce = getNonce();
 		return /* html */`<!DOCTYPE html>
 			<html lang="en">
 			<head>
@@ -163,3 +163,12 @@ class AbcEditor extends Disposable {
 		this.syncedVersion = this.document.version;
 	}
 }
+
+function getNonce() {
+	let text = '';
+	const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+	for (let i = 0; i < 64; i++) {
+		text += possible.charAt(Math.floor(Math.random() * possible.length));
+	}
+	return text;
+}