Read GITPOD_CODE_HOST variable

Author: jeanp413

src/vs/gitpod/browser/workbench/workbench-dev.html

@@ -146,6 +146,12 @@
 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/loader.js" onerror="onVsCodeWorkbenchError(event)" crossorigin="anonymous"></script>
 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/webPackagePaths.js" onerror="onVsCodeWorkbenchError(event)" crossorigin="anonymous"></script>
 	<script>
+		// Important: this is required to evaluate product config values internally
+		// See src/vs/gitpod/platform/product/common/product.ts
+		globalThis.env = {
+			GITPOD_CODE_HOST: window.location.host.split('.').splice(2).join('.')
+		};
+
 		const baseUrl = new URL('{{WORKBENCH_WEB_BASE_URL}}', window.location.origin).toString();
 		Object.keys(self.webPackagePaths).map(function (key, index) {
 			self.webPackagePaths[key] = `${baseUrl}/remote/web/node_modules/${key}/${self.webPackagePaths[key]}`;

src/vs/gitpod/browser/workbench/workbench.html

@@ -129,7 +129,7 @@
 		<meta name="mobile-web-app-capable" content="yes" />
 		<meta name="apple-mobile-web-app-capable" content="yes" />
 		<meta name="apple-mobile-web-app-title" content="Code">
-		<link rel="apple-touch-icon" href="/code-192.png" />
+		<link rel="apple-touch-icon" href="{{WORKBENCH_WEB_BASE_URL}}/code-192.png" />
 
 		<!-- Disable pinch zooming -->
 		<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no">
@@ -142,7 +142,7 @@
 
 		<!-- Workbench Icon/Manifest/CSS -->
 		<link rel="icon" href="/favicon.ico" type="image/x-icon" />
-		<link rel="manifest" href="/manifest.json" />
+		<link rel="manifest" href="{{WORKBENCH_WEB_BASE_URL}}/manifest.json" />
 		<link data-name="vs/workbench/workbench.web.main" rel="stylesheet" href="{{WORKBENCH_WEB_BASE_URL}}/out/vs/workbench/workbench.web.main.css" onerror="onVsCodeWorkbenchError(event)">
 
 		<style>
@@ -166,6 +166,10 @@
 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/loader.js" onerror="onVsCodeWorkbenchError(event)" crossorigin="anonymous"></script>
 	<script src="{{WORKBENCH_WEB_BASE_URL}}/out/vs/webPackagePaths.js" onerror="onVsCodeWorkbenchError(event)" crossorigin="anonymous"></script>
 	<script>
+		globalThis.env = {
+			GITPOD_CODE_HOST: window.location.host.split('.').splice(2).join('.')
+		};
+
 		const baseUrl = new URL('{{WORKBENCH_WEB_BASE_URL}}', window.location.origin).toString();
 		Object.keys(self.webPackagePaths).map(function (key, index) {
 			self.webPackagePaths[key] = `${baseUrl}/node_modules/${key}/${self.webPackagePaths[key]}`;
@@ -175,7 +179,10 @@
 			recordStats: true,
 			trustedTypesPolicy: window.trustedTypes?.createPolicy('amdLoader', {
 				createScriptURL(value) {
-					return value;
+					if (value.startsWith(window.location.origin) || value.startsWith('{{WORKBENCH_WEB_BASE_URL}}')) {
+						return value;
+					}
+					throw new Error(`Invalid script url: ${value}`);
 				}
 			}),
 			paths: {

src/vs/gitpod/browser/workbench/workbench.ts

@@ -520,7 +520,6 @@ async function doStart(): Promise<IDisposable> {
 
 	const gitpodHostURL = new URL(info.gitpodHost);
 	const gitpodDomain = gitpodHostURL.protocol + '//*.' + gitpodHostURL.host;
-	const syncStoreURL = info.gitpodHost + '/code-sync';
 
 	const secretStorageProvider = new LocalStorageSecretStorageProvider();
 	interface GetTokenResponse {
@@ -918,34 +917,9 @@ async function doStart(): Promise<IDisposable> {
 		},
 		urlCallbackProvider: new LocalStorageURLCallbackProvider('/vscode-extension-auth-callback'),
 		secretStorageProvider,
+		additionalTrustedDomains: [gitpodDomain],
 		productConfiguration: {
-			linkProtectionTrustedDomains: [
-				...(product.linkProtectionTrustedDomains || []),
-				gitpodDomain
-			],
-			'configurationSync.store': {
-				url: syncStoreURL,
-				stableUrl: syncStoreURL,
-				insidersUrl: syncStoreURL,
-				canSwitch: false,
-				authenticationProviders: {
-					gitpod: {
-						scopes: ['function:accessCodeSyncStorage']
-					}
-				}
-			},
-			'editSessions.store': {
-				url: syncStoreURL,
-				canSwitch: false,
-				authenticationProviders: {
-					gitpod: {
-						scopes: ['function:accessCodeSyncStorage']
-					}
-				}
-			},
 			webEndpointUrlTemplate,
-			commit: product.commit,
-			quality: product.quality
 		},
 		settingsSyncOptions: {
 			enabled: true,

src/vs/gitpod/platform/product/common/product.ts

@@ -0,0 +1,65 @@
+/* eslint-disable local/code-import-patterns */
+/* eslint-disable header/header */
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import { isWeb } from 'vs/base/common/platform';
+import { IProductConfiguration } from 'vs/base/common/product';
+
+// This is required so that webview resources load sucessfully in firefox
+// Firefox is more strict regarding CSP rules and it will complain if we left
+// the `webviewResourceBaseHost` set to 'vscode-cdn.net' as the service worker
+// is served from a different domain in this case `baseHost`.
+export let baseHost: string | undefined;
+if (isWeb) {
+	baseHost = (globalThis as any).env?.['GITPOD_CODE_HOST'];
+} else {
+	baseHost = process.env['GITPOD_CODE_HOST'];
+}
+baseHost ??= 'gitpod.io';
+if (/^https?:\/\//.test(baseHost)) {
+	try {
+		baseHost = new URL(baseHost).host;
+	} catch { }
+}
+
+export function addCustomGitpodProductProperties(product: IProductConfiguration): IProductConfiguration {
+	const openvsxUrl = atob('aHR0cHM6Ly9vcGVuLXZzeC5vcmc='); // Hack to avoid being replaced by blobserve, remove in the future
+	return {
+		...product,
+		linkProtectionTrustedDomains: [
+			// ...(product.linkProtectionTrustedDomains || []),
+			`https://open-vsx.${baseHost}`,
+			openvsxUrl
+		],
+		extensionsGallery: {
+			serviceUrl: `https://open-vsx.${baseHost}/vscode/gallery`,
+			itemUrl: `${openvsxUrl}/vscode/item`,
+			resourceUrlTemplate: `${openvsxUrl}/vscode/unpkg/{publisher}/{name}/{version}/{path}`, // Hardcoded for now until open-vsx proxy is fixed
+			controlUrl: `https://ide.${baseHost}/code/marketplace.json`,
+			publisherUrl: '',
+			nlsBaseUrl: '',
+		},
+		'configurationSync.store': {
+			url: `https://${baseHost}/code-sync`,
+			stableUrl: `https://${baseHost}/code-sync`,
+			insidersUrl: `https://${baseHost}/code-sync`,
+			canSwitch: false,
+			authenticationProviders: {
+				gitpod: {
+					scopes: ['function:accessCodeSyncStorage']
+				}
+			}
+		},
+		'editSessions.store': {
+			url: `https://${baseHost}/code-sync`,
+			canSwitch: false,
+			authenticationProviders: {
+				gitpod: {
+					scopes: ['function:accessCodeSyncStorage']
+				}
+			}
+		},
+	};
+}

src/vs/server/node/extensionHostConnection.ts

@@ -45,10 +45,7 @@ export async function buildUserEnvironment(startParamsEnv: { [key: string]: stri
 			VSCODE_HANDLES_UNCAUGHT_ERRORS: 'true',
 			VSCODE_NLS_CONFIG: JSON.stringify(nlsConfig, undefined, 0)
 		},
-		...startParamsEnv,
-		...{
-			GITPOD_CODE_HOST: environmentService.isBuilt ? processEnv['GITPOD_HOST'] : undefined
-		}
+		...startParamsEnv
 	};
 
 	const binFolder = environmentService.isBuilt ? join(environmentService.appRoot, 'bin') : join(environmentService.appRoot, 'resources', 'server', 'bin-dev');

src/vs/server/node/serverServices.ts

@@ -77,17 +77,19 @@ import { RemoteExtensionsScannerChannel, RemoteExtensionsScannerService } from '
 import { RemoteExtensionsScannerChannelName } from 'vs/platform/remote/common/remoteExtensionsScanner';
 import { RemoteUserDataProfilesServiceChannel } from 'vs/platform/userDataProfile/common/userDataProfileIpc';
 import { NodePtyHostStarter } from 'vs/platform/terminal/node/nodePtyHostStarter';
+import { DownloadService } from 'vs/platform/download/common/downloadService';
 // eslint-disable-next-line local/code-import-patterns
 import { GitpodInsightsAppender } from 'vs/gitpod/node/gitpodInsightsAppender';
-import { DownloadService } from 'vs/platform/download/common/downloadService';
+// eslint-disable-next-line local/code-import-patterns
+import { addCustomGitpodProductProperties } from 'vs/gitpod/platform/product/common/product';
 
 // const eventPrefix = 'monacoworkbench';
 
 export async function setupServerServices(connectionToken: ServerConnectionToken, args: ServerParsedArgs, REMOTE_DATA_FOLDER: string, disposables: DisposableStore) {
 	const services = new ServiceCollection();
 	const socketServer = new SocketServer<RemoteAgentConnectionContext>();
 
-	const productService: IProductService = { _serviceBrand: undefined, ...product };
+	const productService: IProductService = { _serviceBrand: undefined, ...addCustomGitpodProductProperties(product) };
 	services.set(IProductService, productService);
 
 	const environmentService = new ServerEnvironmentService(args, productService);

src/vs/server/node/webClientServer.ts

@@ -30,6 +30,8 @@ import { isString } from 'vs/base/common/types';
 import { CharCode } from 'vs/base/common/charCode';
 import { getRemoteServerRootPath } from 'vs/platform/remote/common/remoteHosts';
 import { IExtensionManifest } from 'vs/platform/extensions/common/extensions';
+// eslint-disable-next-line local/code-import-patterns
+import { baseHost } from 'vs/gitpod/platform/product/common/product';
 
 const textMimeType = {
 	'.html': 'text/html',
@@ -370,7 +372,7 @@ export class WebClientServer {
 			'media-src \'self\';',
 			`script-src 'self' 'unsafe-eval' ${this._getScriptCspHashes(data).join(' ')} 'sha256-fh3TwPMflhsEIpR8g1OYTIMVWhXTLcjQ9kh2tIpmv54=' ${useTestResolver ? '' : `http://${remoteAuthority}`};`, // the sha is the same as in src/vs/workbench/services/extensions/worker/webWorkerExtensionHostIframe.html
 			'child-src \'self\';',
-			`frame-src 'self' https://*.vscode-cdn.net https://*.gitpod.io https://*.gitpod-dev.com https://*.gitpod-staging.com data:;`,
+			`frame-src 'self' https://*.vscode-cdn.net https://*.${baseHost} https://*.gitpod-dev.com https://*.gitpod-staging.com data:;`,
 			'worker-src \'self\' data: blob:;',
 			'style-src \'self\' \'unsafe-inline\';',
 			'connect-src \'self\' ws: wss: https:;',

src/vs/workbench/browser/web.main.ts

@@ -95,6 +95,8 @@ import { EncryptionService } from 'vs/workbench/services/encryption/browser/encr
 import { IEncryptionService } from 'vs/platform/encryption/common/encryptionService';
 import { ISecretStorageService } from 'vs/platform/secrets/common/secrets';
 import { TunnelSource } from 'vs/workbench/services/remote/common/tunnelModel';
+// eslint-disable-next-line local/code-import-patterns
+import { addCustomGitpodProductProperties } from 'vs/gitpod/platform/product/common/product';
 
 export class BrowserMain extends Disposable {
 
@@ -250,7 +252,7 @@ export class BrowserMain extends Disposable {
 		const workspace = this.resolveWorkspace();
 
 		// Product
-		const productService: IProductService = mixin({ _serviceBrand: undefined, ...product }, this.configuration.productConfiguration);
+		const productService: IProductService = { _serviceBrand: undefined, ...addCustomGitpodProductProperties(mixin({ ...product }, this.configuration.productConfiguration)) };
 		serviceCollection.set(IProductService, productService);
 
 		// Environment

src/vs/workbench/contrib/webview/common/webview.ts

@@ -5,38 +5,23 @@
 
 import { CharCode } from 'vs/base/common/charCode';
 import { Schemas } from 'vs/base/common/network';
-import { isWeb } from 'vs/base/common/platform';
 import { URI } from 'vs/base/common/uri';
+// eslint-disable-next-line local/code-import-patterns
+import { baseHost } from 'vs/gitpod/platform/product/common/product';
 
 export interface WebviewRemoteInfo {
 	readonly isRemote: boolean;
 	readonly authority: string | undefined;
 }
 
-// This is required so that webview resources load sucessfully in firefox
-// Firefox is more strict regarding CSP rules and it will complain if we left
-// the `webviewResourceBaseHost` set to 'vscode-cdn.net' as the service worker
-// is served from a different domain in this case `gitpodHost`.
-// This change only affects the server part as it uses `process.env`,
-// for the front end there are some replace rules in gitpod blobserve config
-// that will replace 'vscode-cdn.net' with the proper host value
-// See https://github.com/gitpod-io/gitpod/blob/8c7cb822ed5c670c102335f76b269f00895c8876/chart/templates/blobserve-configmap.yaml#L28-L39
-// and https://github.com/gitpod-io/gitpod/blob/8c7cb822ed5c670c102335f76b269f00895c8876/installer/pkg/components/blobserve/configmap.go#L41-L61
-let gitpodHost;
-if (!isWeb) {
-	gitpodHost = process.env['GITPOD_CODE_HOST'];
-	try {
-		gitpodHost = gitpodHost && new URL(gitpodHost).host;
-	} catch { }
-}
 
 /**
  * Root from which resources in webviews are loaded.
  *
  * This is hardcoded because we never expect to actually hit it. Instead these requests
  * should always go to a service worker.
  */
-export const webviewResourceBaseHost = gitpodHost || 'vscode-cdn.net';
+export const webviewResourceBaseHost = baseHost || 'vscode-cdn.net';
 
 export const webviewRootResourceAuthority = `vscode-resource.${webviewResourceBaseHost}`;