[WebIDE] Remove restrictive Content Security Policy from web view iframe

MR: Pending

Problem to solve

VSCode Extensions with web views that load assets from 3rd-party origins fail to load due to a restrictive Content Security Policy that we introduced as a temporary measure to prevent security vulnerabilities that originated from hosting the Web IDE on a single domain.

Solution

After completing [WebIDE] Deploy Web IDE's VSCode workbench on .... (&16859 - closed), we can remove the Content Security Policy defined in the patch: https://gitlab.com/gitlab-org/gitlab-web-ide-vscode-fork/-/blob/main/vscode-patches/common/0007-fix-Patch-webview-html-to-prevent-xss-with-CSP.patch?ref_type=heads.

Acceptance criteria

Remove the patch https://gitlab.com/gitlab-org/gitlab-web-ide-vscode-fork/-/blob/main/vscode-patches/common/0007-fix-Patch-webview-html-to-prevent-xss-with-CSP.patch?ref_type=heads.
Publish a new release of the VSCode Fork.
Update the Web IDE with the new release of the VSCode Fork.

Edited Oct 24, 2025 by Enrique Alcántara