Workspaces: Configuration of custom CSP to support extensions

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Workspaces added support for installing extensions via the extension marketplace in GitLab 17.x, including third-party extensions. It would appear that some extensions fail to load due to CSP (Content Security Policy) violations, for example:

Refused to load the stylesheet 'https://vscode-remote+60001-...' ...
because it violates the following Content Security Policy directive: "default-src 'self' https://60001-workspace-....workspaces.example.net 'unsafe-inline'".
Note that 'style-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Refused to load the script 'https://vscode-remote+60001-...' ...
because it violates the following Content Security Policy directive: "default-src 'self' https://60001-workspace-....workspaces.example.net 'unsafe-inline'".
Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.

Does the default CSP require updating to provide improved support for extensions?

For GitLab itself we are able to configure a custom CSP

• contentSecurityPolicy in charts
• Set a Content Security Policy for Omnibus

I don't see where we could configure the same for Workspaces.

Being able to set a custom CSP may help in these situations but it is unclear. Setting specific policies (if we are able) for each extension seems onerous, is there another configuration option that is being overlooked or does the problem lay elsewhere?