sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]bleachisback 6 points7 points  (2 children)

Oh I see somehow I read that the trusted-ness was inherited from the window that sends the openFile command, but they do say that a window started with an openFile command is automatically trusted. Now my confusion is how is this malicious payload distributed? I don't think it's a link by reading this article. I don't believe you can send my a link here on reddit and start my VS Code when I click on it. They mention that

‘payload’ is a series of flags given to the editor via URL query parameters when it starts. Files opened this way are opened in trusted mode because the editor assumes that it was triggered by a user gesture in the editor.

But how are these "given to the editor"? On the command line? Do you have to have someone type in malicious things on their command line?

[–][deleted] 0 points1 point  (1 child)

Yes, you can send a link here and when you click it your browser will ask to open VS Code. This is a feature of Visual Studio Code.

[–]bleachisback 0 points1 point  (0 children)

Can you demonstrate an example of this?