Fresh copy of code-server 4.98.2 fills the log with Content Security Policy error on Chrome

[fabgilson]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Chrome 134.0.6998.166 arm
• Local OS: Mac OS Sequoia 15.3.2 (24D81)
• Remote OS: Ubuntu 22.04.5
• Remote Architecture: amd64
• code-server --version: 4.98.2 e2c489d with Code 1.98.2

Steps to Reproduce

1. Download the deb from github and install a fresh copy, following the steps described here: https://coder.com/docs/code-server/install#debian-ubuntu (deb, dpkg)
2. Create a service entry for a dedicated user (not sudoer)
3. Start service
4. Set-up nginx reverse proxy (config below)
5. Log into code-server
6. Open the "Output" tab, and select "window" from the dropdown (see below)

Nginx config:

location /code-server/ {
                proxy_pass http://localhost:9000/;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection upgrade;
                proxy_set_header Accept-Encoding gzip;
        }
[certbot ssl config not reproduced]

Expected

Not having the log filled in by error messages.
Seems to work on Firefox, with the logs not filling up.

Actual

Logs in output-window keeps getting filled with the same error:

2025-03-27 20:40:42.365 [error] [Window] Failed to construct 'Worker': Access to the script at 'blob:https://SERVERNAME/7c4b764f-20dd-4be6-803c-73dd75b171ff' is denied by the document's Content Security Policy.: SecurityError: Failed to construct 'Worker': Access to the script at 'blob:https://SERVERNAME/7c4b764f-20dd-4be6-803c-73dd75b171ff' is denied by the document's Content Security Policy.
    at nls (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:13907)
    at new lls (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:15332)
    at Iwi.create (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:16079)
    at new ils (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:11441)
    at Z6 (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:1262:16240)
    at new ant (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9618)
    at ont.r (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9357)
    at ont.s (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9411)
    at Object.provideLinks (https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:2552:9227)
    at https://SERVERNAME/code-server/stable-e2c489dd00f163b1a8d959965b0c30c1a978a080/static/out/vs/code/browser/workbench/workbench.js:479:18336

Logs

see attached trace.log (in notes).


code-server --verbose > trace.log
[21:07:04] [127.0.0.1][024d80ed][ExtensionHostConnection] Unknown reconnection token (never seen).
[21:07:04] [127.0.0.1][400d0ec0][ManagementConnection] Unknown reconnection token (never seen).
File not found: /usr/lib/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
File not found: /usr/lib/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js

Screenshot/Video

Does this bug reproduce in native VS Code?

No, this works as expected in native VS Code

Does this bug reproduce in GitHub Codespaces?

I did not test GitHub Codespaces

Are you accessing code-server over a secure context?

• I am using a secure context.

Notes

[fabgilson]

trace.log

[code-asher]

Thank you for the logs! Is your server adding any content security policies or is code-server embedded on a page with content security policies?

One weird thing that stands out to me is that it seems to be trying to load domain.tld/hash rather than domain.tld/code-server/hash, I wonder if we are not handling the sub-path correctly somewhere. I am not seeing the same error despite also using a sub-path, but my Chrome version is older (131) so this could be new.

[fabgilson]

Hello @code-asher. Thanks for your quick reply. I dug into the other nginx.conffiles (I don't have full control on the VM). I found the config that is causing the issue:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *; script-src-elem *  'unsafe-inline' ; font-src 'self' *; style-src * 'unsafe-inline'; img-src 'self' data: *;";

The content-security-policy makes the subpath rejecting the file. Is the handling of subpath under your control, or mine?

I can't get rid of that line, cybersecurity policy here. I'll talk to my IT team to see if I can make it more flexible for the code-server instance though.

Thanks!

[code-asher]

That sub-path should be under our control. We do some patching to automatically add the sub-path to various parts of VS Code, and we must have missed this one.

Edit: although, it could also be a miss on VS Code's side. More investigation needed.

[fabgilson]

Cool, thanks for confirming.

[nowarzz]

It still occurs in 4.99.1 versions

[auxtern]

I recently tried to do something similar to what you did. I tried for hours and finally got it to work. Hopefully this will solve your problem.

From Server

With Reverse Proxy

I use nginx on docker, here is the configuration:

docker-compose.yml

services:
  nginx-proxy:
    image: nginx:latest
    container_name: nginx-proxy
    ports:
      - "8100:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
    extra_hosts:
      - "host.docker.internal:host-gateway"
    restart: unless-stopped
    networks:
      - proxy-network

networks:
  proxy-network:
    driver: bridge

nginx.conf

events {
    worker_connections 1024;
}

http {
    server {
        listen 80;
        
        location /vscode/developer/ {
            rewrite ^/vscode/developer/(.*)$ /$1 break;

            proxy_pass http://host.docker.internal:8080;
            proxy_redirect off;

           # WebSocket headers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            
            # Forward original host and IP
            proxy_set_header Host 127.0.0.1:8080; # Must match the code-server port configuration.
            proxy_set_header Origin http://127.0.0.1:8080; # Must match the code-server port configuration.
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Add auth headers if needed
            proxy_set_header Cookie $http_cookie;
            proxy_set_header Authorization $http_authorization;

            # Increase timeout settings
            proxy_read_timeout 86400s;
            proxy_send_timeout 86400s;
        }
    }
}

Good luck friend 😄

[code-asher]

Glad you got it working! I would caution against hard-coding the Origin header in the reverse proxy though, at least if either of these two scenarios apply to you: #6052 (comment)

If you do remove the hard-coded Origin, you will also need proxy_set_header Host $http_host;.

[auxtern]

Thanks it works too.