release: 4.8.1-rc.1 (#5713 )

* chore(release): bump version to 4.8.1 * fixup * revert: don't change to 4.8.1
fix: CSP and webview errors (#5712 )
2026-05-07 04:51:59 +02:00 · 2022-10-26 18:50:08 +00:00 · 2022-10-26 11:20:11 -07:00
5 changed files with 25 additions and 28 deletions
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "code-server",
  "license": "MIT",
-  "version": "4.8.0",
+  "version": "4.8.1-rc.1",
  "description": "Run VS Code on a remote server.",
  "homepage": "https://github.com/coder/code-server",
  "bugs": {
--- a/patches/parent-origin.diff
+++ b/patches/parent-origin.diff
@@ -1,24 +0,0 @@
 Remove parentOriginHash checko
 This fixes webviews from not working properly due to a change upstream.
 Upstream added a check to ensure parent authority is encoded into the webview
 origin. Since our webview origin is the parent authority, we can bypass this
 check.
 Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
 +++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/main.js
@@ -317,6 +317,12 @@ const hostMessaging = new class HostMess
 		const id = searchParams.get('id');
 		const hostname = location.hostname;
 +
 +		// It is safe to run if we are on the same host.
 +		const parent = new URL(parentOrigin)
 +		if (parent.hostname == location.hostname) {
 +			return start(parentOrigin)
 +		}
 		if (!crypto.subtle) {
 			// cannot validate, not running in a secure context
--- a/patches/telemetry.diff
+++ b/patches/telemetry.diff
@@ -3,7 +3,7 @@ Add support for telemetry endpoint
 To test:
 1. Create a RequestBin - https://requestbin.io/
 2. Run code-server with `CS_TELEMETRY_URL` set: 
-  i.e. `CS_TELEMETRY_URL="https://requestbin.io/1ebub9z1" ./code-server-4.8.0-macos-amd64/bin/code-server`
+  i.e. `CS_TELEMETRY_URL="https://requestbin.io/1ebub9z1" ./code-server-<version>-macos-amd64/bin/code-server`
 3. Load code-server in browser an do things (i.e. open a file)
 4. Refresh RequestBin and you should see logs
--- a/patches/webview.diff
+++ b/patches/webview.diff
@@ -25,6 +25,18 @@ Make sure to update the hash. To do so:
 2. open any webview (i.e. preview Markdown)
 3. see error in console and copy hash
 That will test the hash change in pre/index.html
 Double-check the console to make sure there are no console errors for the webWorkerExtensionHostIframe
 which also requires a hash change.
 parentOriginHash changes
 This fixes webviews from not working properly due to a change upstream.
 Upstream added a check to ensure parent authority is encoded into the webview
 origin. Since our webview origin is the parent authority, we can bypass this
 check.
 Index: code-server/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/services/environment/browser/environmentService.ts
@@ -54,6 +66,15 @@ Index: code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index
 ===================================================================
 --- code-server.orig/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
 +++ code-server/lib/vscode/src/vs/workbench/contrib/webview/browser/pre/index.html
@@ -5,7 +5,7 @@
 	<meta charset="UTF-8">
 	<meta http-equiv="Content-Security-Policy"
 -		content="default-src 'none'; script-src 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 +		content="default-src 'none'; script-src 'sha256-IZkGO4jZeUn7pzM6pBZCZc9bUYm8oVNV3z8zEa8gxlk=' 'self'; frame-src 'self'; style-src 'unsafe-inline';">
 	<!-- Disable pinch zooming -->
 	<meta name="viewport"
@@ -331,6 +331,12 @@
 				const hostname = location.hostname;
@@ -93,7 +114,7 @@ Index: code-server/lib/vscode/src/vs/workbench/services/extensions/worker/webWor
 			default-src 'none';
 			child-src 'self' data: blob:;
 -			script-src 'self' 'unsafe-eval' 'sha256-/r7rqQ+yrxt57sxLuQ6AMYcy/lUpvAIzHjIJt/OeLWU=' https:;
-+			script-src 'self' 'unsafe-eval' 'sha256-wwaDxsm1+SKIUb5YJXiZlYMyV7QPB8+zd6HPcTjigZs=' https:;
+			script-src 'self' 'unsafe-eval' 'sha256-TkIM/TmudlFEe0ZRp0ptvN54LClwk30Rql4ZPE0hm/I=' https:;
 			connect-src 'self' https: wss: http://localhost:* http://127.0.0.1:* ws://localhost:* ws://127.0.0.1:*;"/>
 	</head>
 	<body>
--- a/test/unit/node/test-plugin/package.json
+++ b/test/unit/node/test-plugin/package.json
@@ -3,7 +3,7 @@
  "name": "test-plugin",
  "version": "1.0.0",
  "engines": {
-    "code-server": "^4.8.0"
+    "code-server": "^4.8.1-rc.1"
  },
  "main": "out/index.js",
  "devDependencies": {