Extension-host handler that answers net.fetch.* and net.ws.* messages
posted by the Agent Chat webview's installNetworkBridge override.
The webview cannot reach external origins because of CORS. This handler
opens the real HTTP/WebSocket connection in the Node.js extension host
(where CORS does not apply) and relays streaming chunks / WebSocket
messages back to the webview through postMessage.
Wire protocol — see webview/agentChat/networkBridge.ts module doc.
Security note: this bridge runs in the extension host's network identity
(no CORS, no SOP) so a compromised webview that controls these envelopes
could otherwise pivot through it as an SSRF primitive. To keep that
surface small the handler:
Validates every inbound message envelope (net.fetch.request,
net.ws.open, etc.) against a strict shape — non-string IDs,
missing fields, and wrong-typed bodies are dropped silently.
Rejects any URL whose scheme is not in the allowlist. Only
https: is accepted for fetch() and only wss: for
WebSocket. This excludes file:, data: and plain http:,
which closes off the most common SSRF schemes — but note that
this check is scheme-only: a compromised webview can still
reach any externally reachable HTTPS host (including misconfigured
internal services exposed over TLS). A host/IP allowlist tied to
the active runtime ingress is a follow-up if stricter isolation
is required.
Bounds the amount of error-response body buffered for diagnostic
logging so a misbehaving endpoint cannot inflate host memory.
Extension-host handler that answers
net.fetch.*andnet.ws.*messages posted by the Agent Chat webview'sinstallNetworkBridgeoverride.The webview cannot reach external origins because of CORS. This handler opens the real HTTP/WebSocket connection in the Node.js extension host (where CORS does not apply) and relays streaming chunks / WebSocket messages back to the webview through
postMessage.Wire protocol — see
webview/agentChat/networkBridge.tsmodule doc.Security note: this bridge runs in the extension host's network identity (no CORS, no SOP) so a compromised webview that controls these envelopes could otherwise pivot through it as an SSRF primitive. To keep that surface small the handler:
net.fetch.request,net.ws.open, etc.) against a strict shape — non-string IDs, missing fields, and wrong-typed bodies are dropped silently.https:is accepted forfetch()and onlywss:forWebSocket. This excludesfile:,data:and plainhttp:, which closes off the most common SSRF schemes — but note that this check is scheme-only: a compromised webview can still reach any externally reachable HTTPS host (including misconfigured internal services exposed over TLS). A host/IP allowlist tied to the active runtime ingress is a follow-up if stricter isolation is required.