This article is more than 1 year old
Microsoft defends intrusive dialog in Visual Studio Code that asks if you really trust the code you've been working on
'All the subtlety of a GDPR cookie banner and the charm of Clippy'
Visual Studio Code program manager Chris Dias has defended an intrusive new "Workspace Trust" dialog, saying it is to "raise awareness that there are many attack opportunities when you download code from the internet."
The feature, introduced last month in version 1.57, was initially described as "extra security against code execution when browsing unfamiliar source code."
Unfamiliar code in this context might include code the developer has just written. For example, create an empty folder, add a readme.txt (or even leave it empty), open the folder in VS Code, and the editor presents a scary dialog asking "Do you trust the authors of the files in this folder?" The options are either to "enable all features" or to "browse folder in restricted mode."
Restricted mode "tries to prevent automatic code execution by disabling or limiting the operation of several VS Code features: tasks, debugging, workspace settings, and extensions," state the docs.
According to Dias, VS Code "is capable of running code from the workspace on your behalf to provide a richer development experience," which exposes developers to risks such as "the npm module that steals your crypto wallet private keys."
Dias noted there are multiple ways in which VS Code and its extensions execute code, some of them automated, such as pre-launch tasks that build a project for debugging, and potentially could have "an extra task executing arbitrary code unrelated to the build."
Jupyter notebooks run code, as does ES Lint, a linting tool for JavaScript. Initially, Dias explained, the team introduced warnings before all such actions, but then felt that multiple prompts for different purposes were worse than a single prompt for the whole workspace. In VS Code, opening a folder is equivalent to opening a workspace.
- Developing for Windows 11: Like developing for Windows 10, but with rounded corners?
- Stop. Look... Install Linux? The Reg solves Microsoft's latest Windows teaser
- Microsoft: Try to break our first preview of 64-bit Visual Studio – go on, we dare you
- Microsoft loves Linux so much that packages.microsoft.com has fallen and can't get up
Dias acknowledged the ugliness of the dialog that "is pretty big and it keeps coming up for every new folder you open, unless you take action to configure it." However, he said that when the team tried "passive notification," or disabling trust until specifically enabled, "usage data showed a very low rate of granting trust through the passive notification. In user studies, we watched people spend all their time thinking they had broken something."
Therefore the current design has one modal, intrusive dialog that, once passed, enables everything. There is even an option to "trust the authors of all files in the parent folder" so that the feature can in effect be disabled for an entire collection of projects. There is also an option in Settings – Security to disable the feature completely.
The feature is problematic, as VS Code users were quick to observe. "I was very happy to figure out how to disable the new 'Workspace Trust' feature in #vscode … if I didn't trust the code it wouldn't be on my system," said one. "It has all the subtlety of a GDPR cookie banner and the charm of clippy," said another. "When you ask #microsoft to make #vscode secure this is the stuff they come up with. #VistaPrompt," was another take.
Workspace Trust does have a use case: safely browsing suspect code. But the notion that all the source code on a developer's PC is suddenly untrusted by default is an odd one, and modal dialogs are a blunt instrument that developers may confirm simply in order to get on with their work. Modern JavaScript projects, for example, often have thousands of files, many buried under a directory called node_modules. It is not humanly possible to check each one, and a huge number of different authors may be involved. Asking the developer to declare that they trust those authors may not materially improve security.
A developer commented to one of several GitHub issues seeking to improve or remove the feature by complaining that VS Code is "gradually sliding from sweet simplicity into a DevOps platform designed for users with no IT experience."
Workspace Trust is well intentioned but the feature seems out of step with the philosophy of an editor that is lightweight and does not get in the way.
That said, the feature is optional and perhaps achieves the goal of raising awareness of the risks "when you download code from the internet." Dias promised a number of fixes and improvements "coming in the 1.58 release based on your input." ®