Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Coverage fails to write when using ember-cli-content-security-policy >= 1.1.1 #214

Open
gmurphey opened this issue Mar 26, 2019 · 3 comments
Open

Coverage fails to write when using ember-cli-content-security-policy >= 1.1.1 #214

gmurphey opened this issue Mar 26, 2019 · 3 comments
Labels
bug

Comments

@gmurphey
Copy link

gmurphey commented Mar 26, 2019
edited

Haven't had too much time to dig into it, but the write coverage endpoint seems to be blocked when using ember-cli-content-security-policy >= 1.1.1. Might be enough to document the CSP changes needed to get it working, or detecting the CSP addon and augmenting its config generating coverage reports.
@gmurphey gmurphey changed the title Coverage fails to write when using ember-cli-content-security-policy > 1.1.1 Coverage fails to write when using ember-cli-content-security-policy >= 1.1.1 Mar 26, 2019
@dspigarelli
Copy link

I found that not setting ember-cli-content-security-policy's contentSecurityPolicyMeta to true and ensuring "'unsafe-inline'" was in the list of options for contentSecurityPolicy['script-src'] when running COVERAGE=true ember test fixed it for me.

@jelhan
Copy link

jelhan commented Apr 25, 2020
edited

ensuring "'unsafe-inline'" was in the list of options for contentSecurityPolicy['script-src'] when running COVERAGE=true ember test

I'm a little bit confused that you are only talking about 'unsafe-inline'. I'm also seeing a CSP issue related to eval, which requires 'unsafe-eval'. Adding either 'unsafe-inline' or 'unsafe-eval' to script directive is risky. It disables nearly all of the security improvements that CSP should provide. You should make sure that it's only in the list if test coverage is enabled. It must not be part of the CSP that is used on production.

I'm using a configuration similar to this one with ember-cli-content-security-policy@^2.0.0-1:

// config/content-security-policy.js

module.exports = function(environment) {
  return {
    delivery: ['header'],
    enabled: true,
    failTests: true,
    policy: {
      'default-src':  ["'none'"],
      'script-src':   [
        "'self'",
        process.env.COVERAGE ? "'unsafe-inline'" : null,
        process.env.COVERAGE ? "'sha256-bOFF6I2TCLkFw5Vfln8TzDOIau151BOflG6fMzQXGY8='" : null,
      ].filter(Boolean),
      'font-src':     ["'self'"],
      'connect-src':  ["'self'"],
      'img-src':      ["'self'"],
      'style-src':    ["'self'"],
      'media-src':    ["'self'"],
    },
    reportOnly: true,
  };
}

I researched for other options. If I didn't missed something there isn't a better solution right now. Let me document my finding for others (and for my future self 😆).

By default istanbul injects a new Function('return this') into the source code to get the global object. This violates a strict CSP. It has been reported and fixed upstream some time ago by adding the additional configuration option coverageGlobalScopeFunc. If it's set to false the eval will not be used. Instead it directly uses the value of coverageGlobalScope. This defaults to this but could be changed to global. See the merge request for details: istanbuljs/istanbuljs#200

This can not be used yet. Ember-cli-code-coverage even in latest master uses an old version (^5.2.0) of babel-plugin-istanbul that does not support setting this configuration options yet. babel-plugin-istanbul@^6.0 is required to do so. The feature was added in this pull request: istanbuljs/babel-plugin-istanbul#227

The .istanbul.yml is not considered anymore by babel-plugin-istanbul since a very long time. If I didn't missed something this part of the ember-cli-code-coverage docs is outdated since ^1.0.0-beta.

Currently ember-cli-code-coverage only supports setting exclude and include options for babel-plugin-instanbul but no others: https://github.com/kategengler/ember-cli-code-coverage/blob/d6e2262923e7caeeb383fb6ccdf7b46e227f5715/index.js#L69

Additionally ember-cli-code-coverage injects a <script> tag into tests/index.html: https://github.com/kategengler/ember-cli-code-coverage/blob/d6e2262923e7caeeb383fb6ccdf7b46e227f5715/index.js#L83-L86 Until ember-cli-content-security-policy provides a way to whitelist such <script> tags (rwjblue/ember-cli-content-security-policy#67) documenting how CSP should be configured to allow it, seems to be the best way.

As an alternative the static nonce that is used to fix the <script> tag injected by Ember CLI could be used. But that's private API and not a good long-term solution. Same applies to adding a special work-a-round in ember-cli-content-security-policy for this addon.

To summarize what needs to be done (if I didn't missed something):

  • Upgrade babel-plugin-istanbul to ^6.0.
  • Provide an option to configure babel-plugin-instanbul.
  • Update documentation to explain what needs to be done if used with a content security policy.

@svkangal
Copy link

svkangal commented May 29, 2020
edited

I found that not setting ember-cli-content-security-policy's contentSecurityPolicyMeta to true and ensuring "'unsafe-inline'" was in the list of options for contentSecurityPolicy['script-src'] when running COVERAGE=true ember test fixed it for me.

Just came across this issue, seeing issues with ember-cli-content-security-policy@1.1.1 and this worked for me.

@steveszc steveszc mentioned this issue Jun 7, 2021
Open
@fjf2002 fjf2002 mentioned this issue Apr 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gmurphey @RobbieTheWagner @svkangal @jelhan @dspigarelli