ember-cli-code-coverage icon indicating copy to clipboard operation
ember-cli-code-coverage copied to clipboard

Published 20 hours ago verified publisher icon kategengler

Coverage fails to write when using ember-cli-content-security-policy >= 1.1.1

Open gmurphey opened this issue 6 years ago • 3 comments

Haven't had too much time to dig into it, but the write coverage endpoint seems to be blocked when using ember-cli-content-security-policy >= 1.1.1. Might be enough to document the CSP changes needed to get it working, or detecting the CSP addon and augmenting its config generating coverage reports.

gmurphey avatar Mar 26 '19 18:03 gmurphey

I found that not setting ember-cli-content-security-policy's contentSecurityPolicyMeta to true and ensuring "'unsafe-inline'" was in the list of options for contentSecurityPolicy['script-src'] when running COVERAGE=true ember test fixed it for me.

dspigarelli avatar Jan 31 '20 17:01 dspigarelli

ensuring "'unsafe-inline'" was in the list of options for contentSecurityPolicy['script-src'] when running COVERAGE=true ember test

I'm a little bit confused that you are only talking about 'unsafe-inline'. I'm also seeing a CSP issue related to eval, which requires 'unsafe-eval'. Adding either 'unsafe-inline' or 'unsafe-eval' to script directive is risky. It disables nearly all of the security improvements that CSP should provide. You should make sure that it's only in the list if test coverage is enabled. It must not be part of the CSP that is used on production.

I'm using a configuration similar to this one with ember-cli-content-security-policy@^2.0.0-1:

// config/content-security-policy.js

module.exports = function(environment) {
  return {
    delivery: ['header'],
    enabled: true,
    failTests: true,
    policy: {
      'default-src':  ["'none'"],
      'script-src':   [
        "'self'",
        process.env.COVERAGE ? "'unsafe-inline'" : null,
        process.env.COVERAGE ? "'sha256-bOFF6I2TCLkFw5Vfln8TzDOIau151BOflG6fMzQXGY8='" : null,
      ].filter(Boolean),
      'font-src':     ["'self'"],
      'connect-src':  ["'self'"],
      'img-src':      ["'self'"],
      'style-src':    ["'self'"],
      'media-src':    ["'self'"],
    },
    reportOnly: true,
  };
}

I researched for other options. If I didn't missed something there isn't a better solution right now. Let me document my finding for others (and for my future self :laughing:).

By default istanbul injects a new Function('return this') into the source code to get the global object. This violates a strict CSP. It has been reported and fixed upstream some time ago by adding the additional configuration option coverageGlobalScopeFunc. If it's set to false the eval will not be used. Instead it directly uses the value of coverageGlobalScope. This defaults to this but could be changed to global. See the merge request for details: https://github.com/istanbuljs/istanbuljs/pull/200

This can not be used yet. Ember-cli-code-coverage even in latest master uses an old version (^5.2.0) of babel-plugin-istanbul that does not support setting this configuration options yet. babel-plugin-istanbul@^6.0 is required to do so. The feature was added in this pull request: https://github.com/istanbuljs/babel-plugin-istanbul/pull/227

The .istanbul.yml is not considered anymore by babel-plugin-istanbul since a very long time. If I didn't missed something this part of the ember-cli-code-coverage docs is outdated since ^1.0.0-beta.

Currently ember-cli-code-coverage only supports setting exclude and include options for babel-plugin-instanbul but no others: https://github.com/kategengler/ember-cli-code-coverage/blob/d6e2262923e7caeeb383fb6ccdf7b46e227f5715/index.js#L69

Additionally ember-cli-code-coverage injects a <script> tag into tests/index.html: https://github.com/kategengler/ember-cli-code-coverage/blob/d6e2262923e7caeeb383fb6ccdf7b46e227f5715/index.js#L83-L86 Until ember-cli-content-security-policy provides a way to whitelist such <script> tags (https://github.com/rwjblue/ember-cli-content-security-policy/issues/67) documenting how CSP should be configured to allow it, seems to be the best way.

As an alternative the static nonce that is used to fix the <script> tag injected by Ember CLI could be used. But that's private API and not a good long-term solution. Same applies to adding a special work-a-round in ember-cli-content-security-policy for this addon.

To summarize what needs to be done (if I didn't missed something):

  • Upgrade babel-plugin-istanbul to ^6.0.
  • Provide an option to configure babel-plugin-instanbul.
  • Update documentation to explain what needs to be done if used with a content security policy.

jelhan avatar Apr 25 '20 15:04 jelhan

I found that not setting ember-cli-content-security-policy's contentSecurityPolicyMeta to true and ensuring "'unsafe-inline'" was in the list of options for contentSecurityPolicy['script-src'] when running COVERAGE=true ember test fixed it for me.

Just came across this issue, seeing issues with [email protected] and this worked for me.

svkangal avatar May 29 '20 03:05 svkangal