add AllowInsecureLocalContent option to MarkdownPreviewSecurityLevel (#46473)

extensions/markdown-language-features/src/features/previewContentProvider.ts

@@ -164,6 +164,9 @@ export class MarkdownContentProvider {
 			case MarkdownPreviewSecurityLevel.AllowInsecureContent:
 				return `<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src vscode-resource: http: https: data:; media-src vscode-resource: http: https: data:; script-src 'nonce-${nonce}'; style-src vscode-resource: 'unsafe-inline' http: https: data:; font-src vscode-resource: http: https: data:;">`;
 
+			case MarkdownPreviewSecurityLevel.AllowInsecureLocalContent:
+				return `<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src vscode-resource: https: data: http://localhost:* http://127.0.0.1:*; media-src vscode-resource: https: data: http://localhost:* http://127.0.0.1:*; script-src 'nonce-${nonce}'; style-src vscode-resource: 'unsafe-inline' https: data: http://localhost:* http://127.0.0.1:*; font-src vscode-resource: https: data: http://localhost:* http://127.0.0.1:*;">`;
+
 			case MarkdownPreviewSecurityLevel.AllowScriptsAndAllContent:
 				return '';
 

extensions/markdown-language-features/src/security.ts

@@ -14,7 +14,8 @@ const localize = nls.loadMessageBundle();
 export enum MarkdownPreviewSecurityLevel {
 	Strict = 0,
 	AllowInsecureContent = 1,
-	AllowScriptsAndAllContent = 2
+	AllowScriptsAndAllContent = 2,
+	AllowInsecureLocalContent = 3
 }
 
 export interface ContentSecurityPolicyArbiter {
@@ -109,6 +110,10 @@ export class PreviewSecuritySelector {
 					type: MarkdownPreviewSecurityLevel.Strict,
 					label: markActiveWhen(currentSecurityLevel === MarkdownPreviewSecurityLevel.Strict) + localize('strict.title', 'Strict'),
 					description: localize('strict.description', 'Only load secure content'),
+				}, {
+					type: MarkdownPreviewSecurityLevel.AllowInsecureLocalContent,
+					label: markActiveWhen(currentSecurityLevel === MarkdownPreviewSecurityLevel.AllowInsecureLocalContent) + localize('insecureLocalContent.title', 'Allow insecure local content'),
+					description: localize('insecureLocalContent.description', 'Enable loading content over http served from localhost'),
 				}, {
 					type: MarkdownPreviewSecurityLevel.AllowInsecureContent,
 					label: markActiveWhen(currentSecurityLevel === MarkdownPreviewSecurityLevel.AllowInsecureContent) + localize('insecureContent.title', 'Allow insecure content'),
@@ -133,7 +138,6 @@ export class PreviewSecuritySelector {
 					'preview.showPreviewSecuritySelector.title',
 					'Select security settings for Markdown previews in this workspace'),
 			});
-
 		if (!selection) {
 			return;
 		}