lib/coverband/reporters/web.rb in coverband-5.2.6.rc.2 vs lib/coverband/reporters/web.rb in coverband-5.2.6.rc.3
- old
+ new
@@ -11,10 +11,26 @@
module Coverband
module Reporters
class Web
attr_reader :request
+ CSP_HEADER = [
+ "default-src 'self' https: http:",
+ "child-src 'self'",
+ "connect-src 'self' https: http: wss: ws:",
+ "font-src 'self' https: http:",
+ "frame-src 'self'",
+ "img-src 'self' https: http: data:",
+ "manifest-src 'self'",
+ "media-src 'self'",
+ "object-src 'none'",
+ "script-src 'self' https: http: 'unsafe-inline'",
+ "style-src 'self' https: http: 'unsafe-inline'",
+ "worker-src 'self'",
+ "base-uri 'self'"
+ ].join("; ").freeze
+
def init_web
full_path = Gem::Specification.find_by_name("coverband").full_gem_path
@static = Rack::Static.new(self,
root: File.expand_path("public", full_path),
urls: [/.*\.css/, /.*\.js/, /.*\.gif/, /.*\.png/])
@@ -56,30 +72,30 @@
when %r{\/clear_file}
clear_file
when %r{\/clear}
clear
else
- [404, {"Content-Type" => "text/html"}, ["404 error!"]]
+ [404, coverband_headers, ["404 error!"]]
end
else
case request_path_info
when /.*\.(css|js|gif|png)/
@static.call(env)
when %r{\/settings}
- [200, {"Content-Type" => "text/html"}, [settings]]
+ [200, coverband_headers, [settings]]
when %r{\/view_tracker_data}
- [200, {"Content-Type" => "text/json"}, [view_tracker_data]]
+ [200, coverband_headers(content_type: "text/json"), [view_tracker_data]]
when %r{\/enriched_debug_data}
- [200, {"Content-Type" => "text/json"}, [enriched_debug_data]]
+ [200, coverband_headers(content_type: "text/json"), [enriched_debug_data]]
when %r{\/debug_data}
- [200, {"Content-Type" => "text/json"}, [debug_data]]
+ [200, coverband_headers(content_type: "text/json"), [debug_data]]
when %r{\/load_file_details}
- [200, {"Content-Type" => "text/json"}, [load_file_details]]
+ [200, coverband_headers(content_type: "text/json"), [load_file_details]]
when %r{\/$}
- [200, {"Content-Type" => "text/html"}, [index]]
+ [200, coverband_headers, [index]]
else
- [404, {"Content-Type" => "text/html"}, ["404 error!"]]
+ [404, coverband_headers, ["404 error!"]]
end
end
end
end
@@ -171,9 +187,17 @@
end
[302, {"Location" => "#{base_path}/#{tracker.route}?notice=#{notice}"}, []]
end
private
+
+ def coverband_headers(content_type: "text/html")
+ web_headers = {
+ "Content-Type" => content_type
+ }
+ web_headers["Content-Security-Policy-Report-Only"] = CSP_HEADER if Coverband.configuration.csp_policy
+ web_headers
+ end
# This method should get the root mounted endpoint
# for example if the app is mounted like so:
# mount Coverband::Web, at: '/coverage'
# "/coverage/collect_coverage?" become: