Spectrum is now read-only. Learn more about the decision in our official announcement.


Eclipse Theia - Cloud & Desktop IDE


Any breaking changes made recently to Webview?

November 25, 2019 at 9:41pm

Any breaking changes made recently to Webview?

November 25, 2019 at 9:41pm (Edited 3 years ago)
We noticed big regressions on webviews starting today. Are you guys aware of any possibly breaking changes to it?

November 25, 2019 at 9:41pm
We are still investigating, but something I noticed is that the iframes holding the webviews are being generated differently, the previous one (which were working) looked like this:
<iframe id="pending-frame" frameborder="0" style="display: block; margin: 0px; overflow: hidden; position: absolute; width: 100%; height: 100%; visibility: visible;" sandbox="allow-scripts allow-forms allow-same-origin"></iframe>
The new ones, which are not working, look like this:
<iframe class="webview" sandbox="allow-scripts allow-same-origin" sc="" style="border: none; width: 100%; height: 100%;"></iframe>
*I had to rename src attribute with sc cause it was misteriously breaking up stuff on my message...
they have recently been updated in an effort to support VS Code extensions and make them better, more secure overall You can always see the list of changes present as part of the changelog

November 26, 2019 at 7:40am
Please look at the PR which mentioned and at breaking changes for v.0.13.0 in the changelog. If something is not clear please let us know.
This comment should cover main gotchas of using webviews:

November 26, 2019 at 2:18pm
Thanks for the answers, we are working on a fix with the insecure mode for the moment.

November 27, 2019 at 2:27pm
could you explain what need to be done in order to support the default THEIA_WEBVIEW_EXTERNAL_ENDPOINT in cloud environment? (It is working fine with export THEIA_WEBVIEW_EXTERNAL_ENDPOINT={{hostname}})

November 28, 2019 at 4:53am
You need to make sure that a domain like *.webview.myhost can be resolved to the same ip address where myhost is deployed. You can avoid additional subdomains by replacing . with - for example, i.e. {{uuid}}-webview.{{hostname}}. It still yields an unique origin, but maybe you already have *.myhost DNS record.

June 2, 2020 at 7:26am
I am curious what are the security issues related to single webview domain. Maybe you have some specific scenario to share? Thanks!
Your main windows stores some token in cookies like to read private GitHub repos, any webview running in the same origin can read this token and access GitHub apis. Issues like that.