Rendered from specs/S01-security.md — edit it there, not here.
S01 — Webview Security
Overview
All webview panels MUST enforce a Content-Security-Policy (CSP) that prevents untrusted code execution and limits resource loading to necessary origins only.
Requirements
Nonce-Based CSP
- S01-SR-01 Every webview HTML document MUST include a
Content-Security-Policymeta tag as the first element inside<head>. - S01-SR-02 The CSP
script-srcdirective MUST allow only scripts that carry the webview's nonce value:script-src 'nonce-<nonce>'. - S01-SR-03 A cryptographically-random nonce of at least 32 characters MUST be generated fresh for every HTML document that is written to a webview.
- S01-SR-04 Every
<script>element in generated HTML (including those produced byjson-schema-for-humans) MUST be stamped with thenonceattribute before the document is sent to the webview. - S01-SR-05 The
default-srcdirective MUST be'none'so all resource types are deny-by-default unless explicitly listed. - S01-SR-06
style-srcMAY include'unsafe-inline'andhttps:becausejson-schema-for-humanstemplates rely on inline style attributes and CDN stylesheets; inline styles do not pose code-execution risk. - S01-SR-07
img-srcandfont-srcMUST be limited tohttps:anddata:.
HTML Sanitisation
- S01-SR-08 Any schema-derived value embedded into a webview HTML string (e.g. filenames, error messages) MUST be passed through
sanitizeHtmlwhich escapes&,<, and>. - S01-SR-09 Any schema-derived value embedded inside a
<script>block MUST be serialised withembedJsonwhich additionally escapes<as<to prevent</script>injection.
Static Pages
- S01-SR-10 Loading and error pages that contain no scripts MUST use a stricter static-page CSP:
script-src 'none'; style-src 'unsafe-inline'; img-src data:.
Local Resource Roots
- S01-SR-11 The
localResourceRootsof each webview panel MUST be scoped to the minimum necessary directory (e.g. the schema file's parent directory for the preview panel).
Requirement traceability
Status of each requirement in specs/traceability.json. Test coverage is auto-discovered from [ID] tags in test titles and is not listed here.
| Requirement | Status | Implementation | Note |
|---|---|---|---|
S01-SR-01 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |
S01-SR-02 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |
S01-SR-03 | implemented | src/webviewUtils.ts | getNonce CSPRNG >=128-bit unit-tested |
S01-SR-04 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |
S01-SR-05 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |
S01-SR-06 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |
S01-SR-07 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |
S01-SR-08 | implemented | src/webviewUtils.ts | sanitizeHtml unit-tested |
S01-SR-09 | implemented | src/webviewUtils.ts | embedJson unit-tested |
S01-SR-10 | implemented | src/webviewUtils.ts | static-page CSP unit-tested |
S01-SR-11 | manual | src/PreviewWebPanel.ts | VS Code API-bound; verified by manual / E2E testing |