Preprocess HTML: wrap Content-Security-Policy meta tag into comment

[vitaliy-guliy]

What it does

Wraps into comment (disables) Content-Security-Policy meta tag in HEAD section in webview HTML.
It needs for Jira and Bitbucket extension, which use webviews to display some pages.

The extension opens a webview with initial HTML:

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <base href="vscode-resource:/tmp/vscode-unpacked/atlascode-0.0.0.vsix/extension/" />
        <!-- <meta name="viewport" content="width=device-width,initial-scale=0,shrink-to-fit=no" /> -->
        <meta name="theme-color" content="#000000" />
        <meta id="reactView" name="reactView" content="atlascodeSettingsV2" />
        <title>Atlassian Webview</title>
        <meta
            http-equiv="Content-Security-Policy"
            content="
                default-src https://api.atlassian.com ; 
                img-src data: vscode-resource: http: https: blob:; 
                object-src data:; 
                script-src vscode-resource:;
                style-src vscode-resource: 'unsafe-inline' blob: http: https: data:;"
        />
    </head>

    <body>
        <noscript>You need to enable JavaScript to run this app.</noscript>

        <div id="root"></div>
        <script src="vscode-resource:/tmp/vscode-unpacked/atlascode-0.0.0.vsix/extension/build/static/js/mui.454e318f.js"></script>
    </body>
</html>

Java script src refers on the resource using vscode-resource: scheme in the URI. To have such resource being loaded, Theia pre-processes the URI before inserting the HTML.
But if the webview has restrictions (script-src vscode-resource:) provided by Content-Security-Policy meta tag, the browser blocks all the requests to that resources.

The idea is to temporary wrapping into comment such meta tags while we don't have any solution how to handle resources with vscode-resource: and theia-resource: schemes.

Original issue describing the problem eclipse-che/che#17081

How to test

In any webview

• use an image or script with vscode-resource: or theia-resource: scheme in the URI
• add the following meta tag to the head

        <meta
            http-equiv="Content-Security-Policy"
            content="
                default-src https://api.atlassian.com ; 
                img-src vscode-resource: theia-resource:;  
                script-src vscode-resource: theia-resource:;
                style-src vscode-resource: theia-resource:;"
        />

Review checklist

• as an author, I have thoroughly tested my changes and carefully followed the review guidelines

[akosyakov]

Preprocessor takes care of vscode-resource as well. CSP there to ensure security it cannot be worked around. Generally vscode-resource is deprecated, it does not seem that this extension was adjusted to work in remote context. It should use webviews.asWebviewUri function. For instance see how another extension is adjusted: mhutchie/vscode-git-graph#305 Please file a bug request against the extension.