Skip to content
This repository was archived by the owner on Aug 24, 2025. It is now read-only.
This repository was archived by the owner on Aug 24, 2025. It is now read-only.

Custom local endpoint is blocked by Content Security Policy (CSP) #10

Description

@giuscia

Hello Pochi Development Team,

I am reporting a bug that prevents the extension from connecting to a local Ollama server, due to a strict Content Security Policy. This makes the custom model endpoint feature unusable for local servers.


Environment & Configuration

  • Pochi Version: 0.6.0
  • VS Code Settings (settings.json):
    "pochi.customModelSettings": [
        {
            "id": "ollama-local",
            "baseURL": "http://127.0.0.1:11434",
            "apiKey": "ollama",
            "models": [
                {
                    "id": "mistral:7b",
                    "name": "Mistral 7B (Ollama)",
                    "contextWindow": 8192,
                    "maxTokens": 4096
                }
            ]
        }
    ]

The Problem

When the extension tries to connect to the configured local server, it fails. I have observed two main errors:

  1. Initially, the error was connect ECONNREFUSED 127.0.0.1:11434.
  2. After some attempts, the error changed to Failed to fetch.

Debugging & Analysis

I performed a series of diagnostic steps to isolate the issue:

  1. Server Verified: The Ollama server is running correctly. Both ollama list in the terminal and navigating to http://127.0.0.1:11434 in a web browser work perfectly and return a 200 OK response.

  2. VS Code Connectivity Verified: I installed the REST Client extension in the same VS Code instance. A GET request to http://127.0.0.1:11434 from REST Client was successful. This proves that VS Code itself can connect to the server, and the issue is specific to the Pochi extension.

  3. Root Cause Identified: I used the Developer: Open Webview Developer Tools and inspected the console. This revealed the true cause of the error:

    Fetch API cannot load http://127.0.0.1:11434/v1/chat/completions. Refused to connect because it violates the document's Content Security Policy.


Conclusion & Suggested Fix

The extension's internal Content Security Policy (CSP) is blocking the connection to the user-defined local server.

The connect-src directive within the CSP needs to be updated to dynamically include the baseURL provided by the user in the pochi.customModelSettings.

Thank you for your great work on this extension. I hope this detailed report helps in resolving the issue quickly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions