Merge pull request danmayer#470 from danmayer/csp

Csp

lib/coverband/configuration.rb

@@ -11,7 +11,8 @@ class Configuration
       :view_tracker, :defer_eager_loading_data,
       :track_routes, :route_tracker,
       :track_translations, :translations_tracker,
-      :trackers
+      :trackers, :csp_policy
+
     attr_writer :logger, :s3_region, :s3_bucket, :s3_access_key_id,
       :s3_secret_access_key, :password, :api_key, :service_url, :coverband_timeout, :service_dev_mode,
       :service_test_mode, :process_type, :track_views, :redis_url,
@@ -82,6 +83,7 @@ def reset
       @all_root_paths = nil
       @all_root_patterns = nil
       @password = nil
+      @csp_policy = false
 
       # coverband service settings
       @api_key = nil

lib/coverband/reporters/web.rb

@@ -13,6 +13,22 @@ module Reporters
     class Web
       attr_reader :request
 
+      CSP_HEADER = [
+        "default-src 'self' https: http:",
+        "child-src 'self'",
+        "connect-src 'self' https: http: wss: ws:",
+        "font-src 'self' https: http:",
+        "frame-src 'self'",
+        "img-src 'self' https: http: data:",
+        "manifest-src 'self'",
+        "media-src 'self'",
+        "object-src 'none'",
+        "script-src 'self' https: http: 'unsafe-inline'",
+        "style-src 'self' https: http: 'unsafe-inline'",
+        "worker-src 'self'",
+        "base-uri 'self'"
+      ].join("; ").freeze
+
       def init_web
         full_path = Gem::Specification.find_by_name("coverband").full_gem_path
         @static = Rack::Static.new(self,
@@ -58,26 +74,26 @@ def call(env)
             when %r{\/clear}
               clear
             else
-              [404, {"Content-Type" => "text/html"}, ["404 error!"]]
+              [404, coverband_headers, ["404 error!"]]
             end
           else
             case request_path_info
             when /.*\.(css|js|gif|png)/
               @static.call(env)
             when %r{\/settings}
-              [200, {"Content-Type" => "text/html"}, [settings]]
+              [200, coverband_headers, [settings]]
             when %r{\/view_tracker_data}
-              [200, {"Content-Type" => "text/json"}, [view_tracker_data]]
+              [200, coverband_headers(content_type: "text/json"), [view_tracker_data]]
             when %r{\/enriched_debug_data}
-              [200, {"Content-Type" => "text/json"}, [enriched_debug_data]]
+              [200, coverband_headers(content_type: "text/json"), [enriched_debug_data]]
             when %r{\/debug_data}
-              [200, {"Content-Type" => "text/json"}, [debug_data]]
+              [200, coverband_headers(content_type: "text/json"), [debug_data]]
             when %r{\/load_file_details}
-              [200, {"Content-Type" => "text/json"}, [load_file_details]]
+              [200, coverband_headers(content_type: "text/json"), [load_file_details]]
             when %r{\/$}
-              [200, {"Content-Type" => "text/html"}, [index]]
+              [200, coverband_headers, [index]]
             else
-              [404, {"Content-Type" => "text/html"}, ["404 error!"]]
+              [404, coverband_headers, ["404 error!"]]
             end
           end
         end
@@ -174,6 +190,14 @@ def clear_abstract_tracking_key(tracker)
 
       private
 
+      def coverband_headers(content_type: "text/html")
+        web_headers = {
+          "Content-Type" => content_type
+        }
+        web_headers["Content-Security-Policy-Report-Only"] = CSP_HEADER if Coverband.configuration.csp_policy
+        web_headers
+      end
+
       # This method should get the root mounted endpoint
       # for example if the app is mounted like so:
       # mount Coverband::Web, at: '/coverage'