lib/coverband/reporters/web.rb in coverband-5.2.6.rc.2 vs lib/coverband/reporters/web.rb in coverband-5.2.6.rc.3

- old
+ new

@@ -11,10 +11,26 @@ module Coverband module Reporters class Web attr_reader :request + CSP_HEADER = [ + "default-src 'self' https: http:", + "child-src 'self'", + "connect-src 'self' https: http: wss: ws:", + "font-src 'self' https: http:", + "frame-src 'self'", + "img-src 'self' https: http: data:", + "manifest-src 'self'", + "media-src 'self'", + "object-src 'none'", + "script-src 'self' https: http: 'unsafe-inline'", + "style-src 'self' https: http: 'unsafe-inline'", + "worker-src 'self'", + "base-uri 'self'" + ].join("; ").freeze + def init_web full_path = Gem::Specification.find_by_name("coverband").full_gem_path @static = Rack::Static.new(self, root: File.expand_path("public", full_path), urls: [/.*\.css/, /.*\.js/, /.*\.gif/, /.*\.png/]) @@ -56,30 +72,30 @@ when %r{\/clear_file} clear_file when %r{\/clear} clear else - [404, {"Content-Type" => "text/html"}, ["404 error!"]] + [404, coverband_headers, ["404 error!"]] end else case request_path_info when /.*\.(css|js|gif|png)/ @static.call(env) when %r{\/settings} - [200, {"Content-Type" => "text/html"}, [settings]] + [200, coverband_headers, [settings]] when %r{\/view_tracker_data} - [200, {"Content-Type" => "text/json"}, [view_tracker_data]] + [200, coverband_headers(content_type: "text/json"), [view_tracker_data]] when %r{\/enriched_debug_data} - [200, {"Content-Type" => "text/json"}, [enriched_debug_data]] + [200, coverband_headers(content_type: "text/json"), [enriched_debug_data]] when %r{\/debug_data} - [200, {"Content-Type" => "text/json"}, [debug_data]] + [200, coverband_headers(content_type: "text/json"), [debug_data]] when %r{\/load_file_details} - [200, {"Content-Type" => "text/json"}, [load_file_details]] + [200, coverband_headers(content_type: "text/json"), [load_file_details]] when %r{\/$} - [200, {"Content-Type" => "text/html"}, [index]] + [200, coverband_headers, [index]] else - [404, {"Content-Type" => "text/html"}, ["404 error!"]] + [404, coverband_headers, ["404 error!"]] end end end end @@ -171,9 +187,17 @@ end [302, {"Location" => "#{base_path}/#{tracker.route}?notice=#{notice}"}, []] end private + + def coverband_headers(content_type: "text/html") + web_headers = { + "Content-Type" => content_type + } + web_headers["Content-Security-Policy-Report-Only"] = CSP_HEADER if Coverband.configuration.csp_policy + web_headers + end # This method should get the root mounted endpoint # for example if the app is mounted like so: # mount Coverband::Web, at: '/coverage' # "/coverage/collect_coverage?" become: