Any breaking changes made recently to Webview?

We noticed big regressions on webviews starting today. Are you guys aware of any possibly breaking changes to it?

[original thread by Raphael Dos Santos]

[Raphael Dos Santos]

We are still investigating, but something I noticed is that the iframes holding the webviews are being generated differently, the previous one (which were working) looked like this:

[Raphael Dos Santos]

The new ones, which are not working, look like this:

[Raphael Dos Santos]

[Raphael Dos Santos]

*I had to rename src attribute with sc cause it was misteriously breaking up stuff on my messageā€¦

@santosr they have recently been updated in an effort to support VS Code extensions and make them better, more secure overall https://github.com/eclipse-theia/theia/pull/6465. You can always see the list of changes present as part of the changelog

@santosr Please look at the PR which @vince-fugnitto mentioned and at breaking changes for v.0.13.0 in the changelog. If something is not clear please let us know.

This comment should cover main gotchas of using webviews: https://github.com/eclipse-theia/theia/pull/6465#issuecomment-557494879

[Raphael Dos Santos]

Thanks for the answers, we are working on a fix with the insecure mode for the moment.

[amiramw]

@anton-kosyakov could you explain what need to be done in order to support the default THEIA_WEBVIEW_EXTERNAL_ENDPOINT in cloud environment? (It is working fine with export THEIA_WEBVIEW_EXTERNAL_ENDPOINT={{hostname}})

You need to make sure that a domain like .webview.myhost can be resolved to the same ip address where myhost is deployed. You can avoid additional subdomains by replacing . with - for example, i.e. {{uuid}}-webview.{{hostname}}. It still yields an unique origin, but maybe you already have .myhost DNS record.

[Julien Eluard]

I am curious what are the security issues related to single webview domain. Maybe @anton-kosyakov you have some specific scenario to share? Thanks!

Your main windows stores some token in cookies like to read private GitHub repos, any webview running in the same origin can read this token and access GitHub apis. Issues like that.