Test cross origin isolation for desktop

[jrieken]

Refs: #116715

• anyOS @paulacamargo25
• anyOS @karrtikr
• anyOS @andreamah
• anyOS @sandy081
• WIndows/macOS + Luna Paint @Tyriar

Complexity: 4

Create Issue

---

This is a continuation of #158792 but for desktop.

Background: On desktop we now have the ability to enable cross origin isolation - that's the enabler for shared array buffers which unlocks many interesting scenarios (like "vscode-wasi"). Enabling cross origin isolation (COI) requires us to set two http header COOP and COEP. The latter means only resources that are OK with being embedded will load. This doesn't affect resources from VS Code itself but can affect resources that extensions load. They need to be served with the CORP header.

Testing: Check-off one of the extensions below and play around with their webview (or notebook renderering) features, like GitLens settings editor etc. Observe dev tools for errors

• quit all windows of vscode
• restart with the --enable-coi flag, e.g code-insiders --enable-coi
• open Developer Tool, select the "Network" tab, and check "Blocked Request"
• Keep an eye open for blocked requests
• ℹ️ we cannot fix these errors but we need to reach out to the server/CDN that serve these resources. Just append the blocked domains/urls to this issue, only file an issue against the extension if you are certain that they can fix it (inside knowledge)

The sample below is GitHub issue notebook. Notice how avatars aren't loading and how each request shows as blocked.

---

tested in #158792

• GitLens https://marketplace.visualstudio.com/items?itemName=eamodio.gitlens
• Jupyter https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter
• HexEditor https://marketplace.visualstudio.com/items?itemName=ms-vscode.hexeditor @lramos15
• ExcelViewer https://marketplace.visualstudio.com/items?itemName=GrapeCity.gc-excelviewer
• Volar https://marketplace.visualstudio.com/items?itemName=Vue.volar

new items

• LunaPaint @Tyriar
• Bicep https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep @karrtikr
• Quokka.js https://marketplace.visualstudio.com/items?itemName=WallabyJs.quokka-vscode @sandy081
• Latex Workshop https://marketplace.visualstudio.com/items?itemName=James-Yu.latex-workshop
• Tabnine https://marketplace.visualstudio.com/items?itemName=TabNine.tabnine-vscode

[sandy081]

Quokka.js

Here are the blocked requests I observed when opening the Quokka.js: Manage License Key page.

• https://quokkajs.com/assets/img/vsc-recent-files.gif
• https://quokkajs.com/assets/img/vsc-auto-log.gif
• https://quokkajs.com/assets/img/vsc-sticky-values.gif

[Tyriar]

Is this meant to work on Windows? When I run code-insiders --enable-coi I don't see the headers and therefore cannot access window.SharedArrayBuffer:

I do on my mac though:

Version: 1.72.0-insider (user setup)
Commit: 36b1398
Date: 2022-09-27T05:18:12.318Z
Electron: 19.0.17
Chromium: 102.0.5005.167
Node.js: 16.14.2
V8: 10.2.154.15-electron.0
OS: Windows_NT x64 10.0.22000
Sandboxed: Yes

[Tyriar]

Luna Paint requests seems to work fine. With minimal changes I can re-enable SABs but I haven't done some of the required work to handle Workers, so I can't turn that stuff back on yet unfortunately.

So it's just the Windows problem above.

[andreamah]

Tabnine seems to be good on Windows (tested the hub page and its AI Assistant viewlet)

[jrieken]

Is this meant to work on Windows?

Yes. Filed: #162141. The request misses the &vscode-coi=3 parameter which means the renderer itself isn't cross origin isolated which likely means the flag is getting lost somewhere along the way

[karrtikr]

No blocked requests reported from Bicep on Windows (tested getting started exp and visualizer)

[paulacamargo25]

Latex Workshop seems to be good, no blocked requests reported (Tested on macOS)