resolve conflicts

lib/coverband/configuration.rb

@@ -11,7 +11,8 @@ class Configuration
       :view_tracker, :defer_eager_loading_data,
       :track_routes, :route_tracker,
       :track_translations, :translations_tracker,
-      :trackers
+      :trackers, :csp_policy
+
     attr_writer :logger, :s3_region, :s3_bucket, :s3_access_key_id,
       :s3_secret_access_key, :password, :api_key, :service_url, :coverband_timeout, :service_dev_mode,
       :service_test_mode, :process_type, :track_views, :redis_url,
@@ -82,6 +83,7 @@ def reset
       @all_root_paths = nil
       @all_root_patterns = nil
       @password = nil
+      @csp_policy = false
 
       # coverband service settings
       @api_key = nil
@@ -150,7 +152,7 @@ def password
     def background_reporting_sleep_seconds
       @background_reporting_sleep_seconds ||= if service?
         # default to 10m for service
-        Coverband.configuration.coverband_env == "production" ? 600 : 60
+        (Coverband.configuration.coverband_env == "production") ? 600 : 60
       elsif store.is_a?(Coverband::Adapters::HashRedisStore)
         # Default to 5 minutes if using the hash redis store
         300
@@ -258,11 +260,11 @@ def service_url
     end
 
     def coverband_env
-      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || (defined?(Rails) && Rails.respond_to?(:env) ? Rails.env : "unknown")
+      ENV["RACK_ENV"] || ENV["RAILS_ENV"] || ((defined?(Rails) && Rails.respond_to?(:env)) ? Rails.env : "unknown")
     end
 
     def coverband_timeout
-      @coverband_timeout ||= coverband_env == "development" ? 5 : 2
+      @coverband_timeout ||= (coverband_env == "development") ? 5 : 2
     end
 
     def service_dev_mode

lib/coverband/reporters/web.rb

@@ -13,6 +13,22 @@ module Reporters
     class Web
       attr_reader :request
 
+      CSP_HEADER = [
+        "default-src 'self' https: http:",
+        "child-src 'self'",
+        "connect-src 'self' https: http: wss: ws:",
+        "font-src 'self' https: http:",
+        "frame-src 'self'",
+        "img-src 'self' https: http: data:",
+        "manifest-src 'self'",
+        "media-src 'self'",
+        "object-src 'none'",
+        "script-src 'self' https: http: 'unsafe-inline'",
+        "style-src 'self' https: http: 'unsafe-inline'",
+        "worker-src 'self'",
+        "base-uri 'self'"
+      ].join("; ").freeze
+
       def init_web
         full_path = Gem::Specification.find_by_name("coverband").full_gem_path
         @static = Rack::Static.new(self,
@@ -35,7 +51,7 @@ def call(env)
 
         return [401, {"www-authenticate" => 'Basic realm=""'}, [""]] unless check_auth
 
-        request_path_info = request.path_info == "" ? "/" : request.path_info
+        request_path_info = (request.path_info == "") ? "/" : request.path_info
         tracker_route = false
         Coverband.configuration.trackers.each do |tracker|
           if request_path_info.match(tracker.class::REPORT_ROUTE)
@@ -58,26 +74,26 @@ def call(env)
             when %r{\/clear}
               clear
             else
-              [404, {"Content-Type" => "text/html"}, ["404 error!"]]
+              [404, coverband_headers, ["404 error!"]]
             end
           else
             case request_path_info
             when /.*\.(css|js|gif|png)/
               @static.call(env)
             when %r{\/settings}
-              [200, {"Content-Type" => "text/html"}, [settings]]
+              [200, coverband_headers, [settings]]
             when %r{\/view_tracker_data}
-              [200, {"Content-Type" => "text/json"}, [view_tracker_data]]
+              [200, coverband_headers(content_type: "text/json"), [view_tracker_data]]
             when %r{\/enriched_debug_data}
-              [200, {"Content-Type" => "text/json"}, [enriched_debug_data]]
+              [200, coverband_headers(content_type: "text/json"), [enriched_debug_data]]
             when %r{\/debug_data}
-              [200, {"Content-Type" => "text/json"}, [debug_data]]
+              [200, coverband_headers(content_type: "text/json"), [debug_data]]
             when %r{\/load_file_details}
-              [200, {"Content-Type" => "text/json"}, [load_file_details]]
+              [200, coverband_headers(content_type: "text/json"), [load_file_details]]
             when %r{\/$}
-              [200, {"Content-Type" => "text/html"}, [index]]
+              [200, coverband_headers, [index]]
             else
-              [404, {"Content-Type" => "text/html"}, ["404 error!"]]
+              [404, coverband_headers, ["404 error!"]]
             end
           end
         end
@@ -174,6 +190,14 @@ def clear_abstract_tracking_key(tracker)
 
       private
 
+      def coverband_headers(content_type: "text/html")
+        web_headers = {
+          "Content-Type" => content_type
+        }
+        web_headers["Content-Security-Policy-Report-Only"] = CSP_HEADER if Coverband.configuration.csp_policy
+        web_headers
+      end
+
       # This method should get the root mounted endpoint
       # for example if the app is mounted like so:
       # mount Coverband::Web, at: '/coverage'
@@ -183,7 +207,7 @@ def clear_abstract_tracking_key(tracker)
       # %r{\/.*\/}.match?(request.path) ? request.path.match("\/.*\/")[0] : "/"
       # ^^ the above is NOT valid Ruby 2.3/2.4 even though rubocop / standard think it is
       def base_path
-        request.path =~ %r{\/.*\/} ? request.path.match("/.*/")[0] : "/"
+        (request.path =~ %r{\/.*\/}) ? request.path.match("/.*/")[0] : "/"
       end
     end
   end