Allow setting trusted domains for links at run-time

It can be set either:

1. In the product.json (normally the product.json is embedded during the
   build and not read at run-time).
2. With the --link-protection-trusted-domains flag.

patches/series

@@ -20,3 +20,4 @@ getting-started.diff
 keepalive.diff
 clipboard.diff
 display-language.diff
+trusted-domains.diff

patches/trusted-domains.diff

@@ -0,0 +1,49 @@
+Allow configuring trusted domains via product.json or flag.
+
+Index: code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
++++ code-server/lib/vscode/src/vs/server/node/serverEnvironmentService.ts
+@@ -20,6 +20,7 @@ export const serverOptions: OptionDescri
+ 	'disable-file-uploads': { type: 'boolean' },
+ 	'disable-getting-started-override': { type: 'boolean' },
+ 	'locale': { type: 'string' },
++	'link-protection-trusted-domains': { type: 'string[]' },
+ 
+ 	/* ----- server setup ----- */
+ 
+@@ -108,6 +109,7 @@ export interface ServerParsedArgs {
+ 	'disable-file-uploads'?: boolean;
+ 	'disable-getting-started-override'?: boolean,
+ 	'locale'?: string
++	'link-protection-trusted-domains'?: string[],
+ 
+ 	/* ----- server setup ----- */
+ 
+Index: code-server/lib/vscode/src/vs/server/node/webClientServer.ts
+===================================================================
+--- code-server.orig/lib/vscode/src/vs/server/node/webClientServer.ts
++++ code-server/lib/vscode/src/vs/server/node/webClientServer.ts
+@@ -339,6 +339,14 @@ export class WebClientServer {
+ 			scopes: [['user:email'], ['repo']]
+ 		} : undefined;
+ 
++		const linkProtectionTrustedDomains: string[] = [];
++		if (this._environmentService.args['link-protection-trusted-domains']) {
++			linkProtectionTrustedDomains.push(...this._environmentService.args['link-protection-trusted-domains']);
++		}
++		if (this._productService.linkProtectionTrustedDomains) {
++			linkProtectionTrustedDomains.push(...this._productService.linkProtectionTrustedDomains);
++		}
++
+ 		const productConfiguration = {
+ 			codeServerVersion: this._productService.codeServerVersion,
+ 			rootEndpoint: rootBase,
+@@ -353,6 +361,7 @@ export class WebClientServer {
+ 			telemetryEndpoint: this._productService.telemetryEndpoint,
+ 			embedderIdentifier: 'server-distro',
+ 			extensionsGallery: this._productService.extensionsGallery,
++			linkProtectionTrustedDomains,
+ 		} satisfies Partial<IProductConfiguration>;
+ 
+ 		if (!this._environmentService.isBuilt) {

src/node/cli.ts

@@ -30,7 +30,7 @@ export enum LogLevel {
 export class OptionalString extends Optional<string> {}
 
 /**
- * Code flags provided by the user.
+ * (VS) Code flags provided by the user.
  */
 export interface UserProvidedCodeArgs {
   "disable-telemetry"?: boolean
@@ -54,6 +54,7 @@ export interface UserProvidedCodeArgs {
   "disable-proxy"?: boolean
   "session-socket"?: string
   "abs-proxy-base-path"?: string
+  "link-protection-trusted-domains"?: string[]
 }
 
 /**
@@ -194,6 +195,10 @@ export const options: Options<Required<UserProvidedArgs>> = {
   enable: { type: "string[]" },
   help: { type: "boolean", short: "h", description: "Show this output." },
   json: { type: "boolean" },
+  "link-protection-trusted-domains": {
+    type: "string[]",
+    description: "Links matching a trusted domain can be opened without link protection.",
+  },
   locale: {
     // The preferred way to set the locale is via the UI.
     type: "string",