- CSP: force https only when outer page is on https too

- bring back wrapping the web worker in an `<iframe>` by default

src/vs/workbench/services/extensions/browser/webWorkerExtensionHost.ts

@@ -73,7 +73,11 @@ export class WebWorkerExtensionHost extends Disposable implements IExtensionHost
 	}
 
 	private _wrapInIframe(): boolean {
-		return false;
+		if (this._environmentService.options && typeof this._environmentService.options._wrapWebWorkerExtHostInIframe === 'boolean') {
+			return this._environmentService.options._wrapWebWorkerExtHostInIframe;
+		}
+		// wrap in <iframe> by default
+		return true;
 	}
 
 	public async start(): Promise<IMessagePassingProtocol> {
@@ -102,11 +106,11 @@ export class WebWorkerExtensionHost extends Disposable implements IExtensionHost
 		const escapeAttribute = (value: string): string => {
 			return value.replace(/"/g, '&quot;');
 		};
-		const isBuilt = this._environmentService.isBuilt;
+		const forceHTTPS = (location.protocol === 'https:');
 		const html = `<!DOCTYPE html>
 <html>
 	<head>
-		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-eval' '${WEB_WORKER_IFRAME.sha}' ${isBuilt ? 'https:' : 'http: https:'}; worker-src data:; connect-src ${isBuilt ? 'https:' : 'http: https:'}" />
+		<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-eval' '${WEB_WORKER_IFRAME.sha}' ${forceHTTPS ? 'https:' : 'http: https:'}; worker-src data:; connect-src ${forceHTTPS ? 'https:' : 'http: https:'}" />
 		<meta id="vscode-worker-src" data-value="${escapeAttribute(workerSrc)}" />
 		<meta id="vscode-web-worker-ext-host-id" data-value="${escapeAttribute(vscodeWebWorkerExtHostId)}" />
 	</head>