diff options
| author | Paul Duncan <pabs@pablotron.org> | 2022-02-25 03:47:20 -0500 | 
|---|---|---|
| committer | Paul Duncan <pabs@pablotron.org> | 2022-02-25 03:47:20 -0500 | 
| commit | ffb0428afa2c1497e263eacfdb790fd9213dc2d3 (patch) | |
| tree | 6455b91f9d483015570ba6bbb53f85981699b97c | |
| parent | 3e6cbaf2c0a42ba57fd61ab380dc631f251015aa (diff) | |
| download | pablotron.org-ffb0428afa2c1497e263eacfdb790fd9213dc2d3.tar.xz pablotron.org-ffb0428afa2c1497e263eacfdb790fd9213dc2d3.zip | |
add posts/2022-02-25-relaxed-csp-for-go-coverage.md
| -rw-r--r-- | content/posts/2022-02-25-relaxed-csp-for-go-coverage.md | 98 | 
1 files changed, 98 insertions, 0 deletions
| diff --git a/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md b/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md new file mode 100644 index 0000000..bf5dcfe --- /dev/null +++ b/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md @@ -0,0 +1,98 @@ +--- +slug: relaxed-csp-for-go-coverage +title: "Relaxed Content-Security-Policy for Go Code Coverage Reports" +date: "2022-02-25T01:36:14-04:00" +--- +There is a conflict between [my strict +`Content-Security-Policy`][my-csp] and the [CSS][] and [JavaScript][js] +embedded in the [HTML][] [code coverage][] reports generated by [`go +cover`][go-cover]. + +I tested a couple of methods of overriding the base +[`Content-Security-Policy`][csp], without success: + +1. Add a relaxed [`<meta http-equiv='Content-Security-Policy' +   content='...'>`][meta-http-equiv] element. +2. Embed the script and style as [`data:` URLs][data-url]. + +(Aside: I'm glad browsers don't allow these workarounds, because they +would be potential security holes). + +In any case, the my solution was to relax the policy for a specific +location via the [Apache][] config: + +```apache +# +# Relax style-src and script-src content security policies for content +# in the "/coverage-reports" directory so that the HTML coverage reports +# generated by `go cover` work as expected. +# +# Specifically the relaxed constraints allow: +# +# 1. The inline `<script>` element at the end of the generated HTML. +# 2. `style='display: none'` attributes on hidden elements. +# +# Notes: +# +# * You *have* to use `Header set` rather than `Header append` to +#   replace rather than append to the existing header. +# * Ideally we'd use `style-src-elem` and `script-src-elem`, but neither +#   are currently supported by Firefox. +# +<Location /coverage-reports> +  Header set "Content-Security-Policy" "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'" +</Location> +``` +  + +The situation could be improved by making the following changes to the +[go cover HTML report source code][go-cover-html-src]: + +1. Replace `style="display: none"` attribute on elements with +   `class=hide`. +2. Add `.hide { display: none }` to the inline `<style>` element. +2. Hash the inner content of the inline `<style>` element. +3. Hash the inner content of the inline `<script>` element. +4. Add a [`<meta http-equiv ...>`][meta-http-equiv] element to the +   header, using the hashes from the previous two steps. + +Example: + +```html +<meta +  http-equiv="content-security-policy" +  content="default-src 'self'; script-src 'self' 'sha256-a43KCehRqYcFBGPJxgYD6a15e6CRFwVvwuDAe8rGbkM='; style-src 'self' 'sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts='" +/> +``` +  + +Bonus: These reports would automatically set a reasonable policy even in +the absense of a more restrictive server policy. + +Counter-argument to this post: These coverage reports are meant to be +simple and only used locally.  More elaborate or more secure coverage +reports should be generated by a separate tool rather than complicating +the default one. + +[my-csp]: {{< ref "2021-10-25-the-nuclear-option-no-more-unsafe-inline" >}} +  "My strict Content-Security-Policy setting." +[go-cover]: https://go.dev/blog/cover +  "Go code coverage HTML reports." +[code coverage]: https://en.wikipedia.org/wiki/Code_coverage +  "Test suite code coverage." +[css]: https://en.wikipedia.org/wiki/CSS +  "Cascading Style Sheets" +[js]: https://en.wikipedia.org/wiki/JavaScript +  "JavaScript programming language." +[html]: https://en.wikipedia.org/wiki/HTML +  "HyperText Markup Language" +[meta-http-equiv]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta +  "The <meta http-equiv ...> element." +[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +  "Content-Security-Policy HTTP response header." +[data-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs +  "Data URL." +[apache]: https://httpd.apache.org/ +  "Apache web server." +[go-cover-html-src]: https://cs.opensource.google/go/go/+/master:src/cmd/cover/html.go +  "Source code for the HTML code coverage reports generated by go cover." | 
