add posts/2022-02-25-relaxed-csp-for-go-coverage.md

1 files changed, 98 insertions, 0 deletions

diff --git a/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md b/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md
new file mode 100644
index 0000000..bf5dcfe
--- /dev/null
+++ b/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md
@@ -0,0 +1,98 @@
+---
+slug: relaxed-csp-for-go-coverage
+title: "Relaxed Content-Security-Policy for Go Code Coverage Reports"
+date: "2022-02-25T01:36:14-04:00"
+---
+There is a conflict between [my strict
+`Content-Security-Policy`][my-csp] and the [CSS][] and [JavaScript][js]
+embedded in the [HTML][] [code coverage][] reports generated by [`go
+cover`][go-cover].
+
+I tested a couple of methods of overriding the base
+[`Content-Security-Policy`][csp], without success:
+
+1. Add a relaxed [`<meta http-equiv='Content-Security-Policy'
+   content='...'>`][meta-http-equiv] element.
+2. Embed the script and style as [`data:` URLs][data-url].
+
+(Aside: I'm glad browsers don't allow these workarounds, because they
+would be potential security holes).
+
+In any case, the my solution was to relax the policy for a specific
+location via the [Apache][] config:
+
+```apache
+#
+# Relax style-src and script-src content security policies for content
+# in the "/coverage-reports" directory so that the HTML coverage reports
+# generated by `go cover` work as expected.
+#
+# Specifically the relaxed constraints allow:
+#
+# 1. The inline `<script>` element at the end of the generated HTML.
+# 2. `style='display: none'` attributes on hidden elements.
+#
+# Notes:
+#
+# * You *have* to use `Header set` rather than `Header append` to
+#   replace rather than append to the existing header.
+# * Ideally we'd use `style-src-elem` and `script-src-elem`, but neither
+#   are currently supported by Firefox.
+#
+<Location /coverage-reports>
+  Header set "Content-Security-Policy" "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
+</Location>
+```
+&nbsp;
+
+The situation could be improved by making the following changes to the
+[go cover HTML report source code][go-cover-html-src]:
+
+1. Replace `style="display: none"` attribute on elements with
+   `class=hide`.
+2. Add `.hide { display: none }` to the inline `<style>` element.
+2. Hash the inner content of the inline `<style>` element.
+3. Hash the inner content of the inline `<script>` element.
+4. Add a [`<meta http-equiv ...>`][meta-http-equiv] element to the
+   header, using the hashes from the previous two steps.
+
+Example:
+
+```html
+<meta
+  http-equiv="content-security-policy"
+  content="default-src 'self'; script-src 'self' 'sha256-a43KCehRqYcFBGPJxgYD6a15e6CRFwVvwuDAe8rGbkM='; style-src 'self' 'sha256-8OTC92xYkW7CWPJGhRvqCR0U1CR6L8PhhpRGGxgW4Ts='"
+/>
+```
+&nbsp;
+
+Bonus: These reports would automatically set a reasonable policy even in
+the absense of a more restrictive server policy.
+
+Counter-argument to this post: These coverage reports are meant to be
+simple and only used locally.  More elaborate or more secure coverage
+reports should be generated by a separate tool rather than complicating
+the default one.
+
+[my-csp]: {{< ref "2021-10-25-the-nuclear-option-no-more-unsafe-inline" >}}
+  "My strict Content-Security-Policy setting."
+[go-cover]: https://go.dev/blog/cover
+  "Go code coverage HTML reports."
+[code coverage]: https://en.wikipedia.org/wiki/Code_coverage
+  "Test suite code coverage."
+[css]: https://en.wikipedia.org/wiki/CSS
+  "Cascading Style Sheets"
+[js]: https://en.wikipedia.org/wiki/JavaScript
+  "JavaScript programming language."
+[html]: https://en.wikipedia.org/wiki/HTML
+  "HyperText Markup Language"
+[meta-http-equiv]: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
+  "The <meta http-equiv ...> element."
+[csp]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+  "Content-Security-Policy HTTP response header."
+[data-url]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs
+  "Data URL."
+[apache]: https://httpd.apache.org/
+  "Apache web server."
+[go-cover-html-src]: https://cs.opensource.google/go/go/+/master:src/cmd/cover/html.go
+  "Source code for the HTML code coverage reports generated by go cover."