Does this issue occur when all extensions are disabled?: Yes/No ---
- VS Code Version: ---
- OS Version: ---
monaco-editor version: 0.28.0
Hi. I have an issue with part of code inside monaco-editor's build code inside this particular file: https://unpkg.com/browse/monaco-editor@0.28.0/min/vs/editor/editor.main.js
I opened issue here (rather that monaco-editor's repository) because I found the code inside vscode's source code.
There is a code snippet that goes like window.clipboardData.getData("Text"). (inside src/vs/editor/browser/controller/textAreaInput.ts as (<any>window).clipboardData.getData('Text')) Which is probably there because of IE-support reasons. But as you may know there is a security vulnerability reported for that small code snippet. window.clipboardData.getData is an alert.
My problem arises from the point that I deployed my web application which included monaco-editor. It was all perfect, until I received a message that said the page that includes monaco-editor is not loading. I double checked my website, it was fine everywhere. It worked. For debugging, I went to the organization that I received the message from. It did not work inside the organization. After hours of debugging I found out the IPS of the organization is preventing the editor.main.js file from arriving into the company's network.
My issue was resolved with simply removing every usage of window.clipboardData from the build code and serving it from my server (instead of using a CDN), because my web application did not need IE support. Later I found that doing simply like this would trick that particular IPS too:
var __someVariable__ = window;
__someVariable__.clipboardData.getData('Text');That particular IPS may let this code through; but other IPSs may not!
So I'm here with this issue maybe you can do something about it to prevent further problems like this for anyone else to happen.
You can gain more information about the security vulnerability by searching this message: HTTP BROWSER Microsoft Internet Explorer improper copy buffer access information disclosure attempt
And here is the problematic code inside vscode's source code: https://github.com/microsoft/vscode/blob/1.60.2/src/vs/editor/browser/controller/textAreaInput.ts#L676
Does this issue occur when all extensions are disabled?: Yes/No ---
monaco-editor version: 0.28.0
Hi. I have an issue with part of code inside monaco-editor's build code inside this particular file: https://unpkg.com/browse/monaco-editor@0.28.0/min/vs/editor/editor.main.js
I opened issue here (rather that monaco-editor's repository) because I found the code inside vscode's source code.
There is a code snippet that goes like
window.clipboardData.getData("Text"). (insidesrc/vs/editor/browser/controller/textAreaInput.tsas(<any>window).clipboardData.getData('Text')) Which is probably there because of IE-support reasons. But as you may know there is a security vulnerability reported for that small code snippet.window.clipboardData.getDatais an alert.My problem arises from the point that I deployed my web application which included monaco-editor. It was all perfect, until I received a message that said the page that includes monaco-editor is not loading. I double checked my website, it was fine everywhere. It worked. For debugging, I went to the organization that I received the message from. It did not work inside the organization. After hours of debugging I found out the IPS of the organization is preventing the
editor.main.jsfile from arriving into the company's network.My issue was resolved with simply removing every usage of
window.clipboardDatafrom the build code and serving it from my server (instead of using a CDN), because my web application did not need IE support. Later I found that doing simply like this would trick that particular IPS too:That particular IPS may let this code through; but other IPSs may not!
So I'm here with this issue maybe you can do something about it to prevent further problems like this for anyone else to happen.
You can gain more information about the security vulnerability by searching this message: HTTP BROWSER Microsoft Internet Explorer improper copy buffer access information disclosure attempt
And here is the problematic code inside vscode's source code: https://github.com/microsoft/vscode/blob/1.60.2/src/vs/editor/browser/controller/textAreaInput.ts#L676