change(webview): mr detail.

Author: cangzhang

package.json

@@ -117,8 +117,7 @@
     "ky": "^0.24.0",
     "nanoid": "^3.1.16",
     "react": "^17.0.0",
-    "react-dom": "^17.0.0",
-    "simple-git": "^2.21.0"
+    "react-dom": "^17.0.0"
   },
   "devDependencies": {
     "@types/react": "^16.9.53",

src/common/utils.ts

@@ -57,3 +57,12 @@ export function parseCloneUrl(url: string): IRepoInfo | null {
   const [team, project, repo] = str.split(`/`);
   return { team, project, repo: repo || project };
 }
+
+export function getNonce() {
+  let text = '';
+  const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+  for (let i = 0; i < 32; i++) {
+    text += possible.charAt(Math.floor(Math.random() * possible.length));
+  }
+  return text;
+}

src/panel.ts

@@ -1,7 +1,8 @@
 import * as vscode from 'vscode';
 import * as path from 'path';
 
-import { IMRWebViewDetail } from './typings/commonTypes'
+import { IMRWebViewDetail } from './typings/commonTypes';
+import { getNonce } from './common/utils';
 
 export class Panel {
   /**
@@ -142,27 +143,24 @@ export class Panel {
   }
 
   private _getHtmlForWebview(webview: vscode.Webview) {
-    const appPathOnDisk = vscode.Uri.file(path.join(this._extensionPath, 'out/webviews/main.js'));
-    const appUri = appPathOnDisk.with({ scheme: 'vscode-resource' });
+    const appPathOnDisk = vscode.Uri.joinPath(this._extensionUri, 'out/webviews/main.js');
+    const appUri = webview.asWebviewUri(appPathOnDisk);
+    const nonce = getNonce();
 
     return `<!DOCTYPE html>
 		  <html lang="en">
 		  <head>
 			  <meta charset="UTF-8">
-			  <meta name="viewport" content="width=device-width, initial-scale=1.0">
 			  <title>Merge Request Overview</title>
-
+			  <meta name="viewport" content="width=device-width, initial-scale=1.0">
 			  <meta http-equiv="Content-Security-Policy"
-						  content="default-src 'unsafe-inline';
-								   img-src https:;
-				   script-src 'unsafe-eval' 'unsafe-inline' vscode-resource:;
-				   connect-src 'self' https: *.coding.net;
-								   style-src vscode-resource: 'unsafe-inline';">
+              content="default-src 'unsafe-eval'; style-src vscode-resource: 'unsafe-inline' http: https: data:;; img-src vscode-resource: https:; script-src 'nonce-${nonce}' 'unsafe-eval'; connect-src https:">
 		  </head>
 		  <body>
 			  <div id="root"></div>
-			  <script src="${appUri}"></script>
+			  <script nonce="${nonce}" src="${appUri}"></script>
 		  </body>
 		  </html>`;
   }
 }
+

src/typings/commonTypes.ts

@@ -1,4 +1,4 @@
-import { IMRDetail, IMRDetailResponse, UserResponse } from './respResult';
+import { IMRDetail, UserResponse } from './respResult';
 
 export interface IRepoInfo {
   team: string;

yarn.lock

@@ -898,18 +898,6 @@
     minimatch "^3.0.4"
     strip-json-comments "^3.1.1"
 
-"@kwsites/file-exists@^1.1.1":
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@kwsites/file-exists/-/file-exists-1.1.1.tgz#ad1efcac13e1987d8dbaf235ef3be5b0d96faa99"
-  integrity sha512-m9/5YGR18lIwxSFDwfE3oA7bWuq9kdau6ugN4H2rJeyhFQZcG9AgSHkQtSD15a8WvTgfz9aikZMrKPHvbpqFiw==
-  dependencies:
-    debug "^4.1.1"
-
-"@kwsites/promise-deferred@^1.1.1":
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@kwsites/promise-deferred/-/promise-deferred-1.1.1.tgz#8ace5259254426ccef57f3175bc64ed7095ed919"
-  integrity sha512-GaHYm+c0O9MjZRu0ongGBRbinu8gVAMd2UZjji6jVmqKtZluZnptXGWhz1E8j8D2HJ3f/yMxKAUC0b+57wncIw==
-
 "@mrmlnc/readdir-enhanced@^2.2.1":
   version "2.2.1"
   resolved "https://registry.yarnpkg.com/@mrmlnc/readdir-enhanced/-/readdir-enhanced-2.2.1.tgz#524af240d1a360527b730475ecfa1344aa540dde"
@@ -5914,15 +5902,6 @@ simple-get@^3.0.3:
     once "^1.3.1"
     simple-concat "^1.0.0"
 
-simple-git@^2.21.0:
-  version "2.21.0"
-  resolved "https://registry.yarnpkg.com/simple-git/-/simple-git-2.21.0.tgz#d25d3fdc6a139cd7f80f197541a6f9f6e9d4cbc8"
-  integrity sha512-rohCHmEjD/ESXFLxF4bVeqgdb4Awc65ZyyuCKl3f7BvgMbZOBa/Ye3HN/GFnvruiUOAWWNupxhz3Rz5/3vJLTg==
-  dependencies:
-    "@kwsites/file-exists" "^1.1.1"
-    "@kwsites/promise-deferred" "^1.1.1"
-    debug "^4.1.1"
-
 slash@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/slash/-/slash-1.0.0.tgz#c41f2f6c39fc16d1cd17ad4b5d896114ae470d55"