Host VS Code service worker code on a first-party domain
Problem to solve
The VS Code-based Web IDE uses service workers to sandbox the web views in the application. This security measure prevents malicious code in the web view from gaining access to the rest of the app, including your file system.
However, to create these service workers, VS Code pulls data from an external server (vscode-cdn.net
). A third party hosts this public domain and while it is not collecting any data from the GitLab instance, the HTTP header included in the request could be considered personal data.
Proposal
Host the same code available on vscode-cdn.net
in a GitLab-owned domain (like gitlab-webide-cdn.net
. Update VS Code and backport this fix to 16.0.x which is when we made the new Web IDE the default experience on self-managed instances.
Details
This only solves the issue for non-airgapped instances. Those instances running in a completely offline environment will continue to have issues loading webviews and welcome screen assets.
We'll solve this for airgapped instances in a separate iteration.