From ffb0428afa2c1497e263eacfdb790fd9213dc2d3 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Fri, 25 Feb 2022 03:47:20 -0500 Subject: add posts/2022-02-25-relaxed-csp-for-go-coverage.md --- .../2022-02-25-relaxed-csp-for-go-coverage.md | 98 ++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 content/posts/2022-02-25-relaxed-csp-for-go-coverage.md (limited to 'content/posts') diff --git a/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md b/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md new file mode 100644 index 0000000..bf5dcfe --- /dev/null +++ b/content/posts/2022-02-25-relaxed-csp-for-go-coverage.md @@ -0,0 +1,98 @@ +--- +slug: relaxed-csp-for-go-coverage +title: "Relaxed Content-Security-Policy for Go Code Coverage Reports" +date: "2022-02-25T01:36:14-04:00" +--- +There is a conflict between [my strict +`Content-Security-Policy`][my-csp] and the [CSS][] and [JavaScript][js] +embedded in the [HTML][] [code coverage][] reports generated by [`go +cover`][go-cover]. + +I tested a couple of methods of overriding the base +[`Content-Security-Policy`][csp], without success: + +1. Add a relaxed [``][meta-http-equiv] element. +2. Embed the script and style as [`data:` URLs][data-url]. + +(Aside: I'm glad browsers don't allow these workarounds, because they +would be potential security holes). + +In any case, the my solution was to relax the policy for a specific +location via the [Apache][] config: + +```apache +# +# Relax style-src and script-src content security policies for content +# in the "/coverage-reports" directory so that the HTML coverage reports +# generated by `go cover` work as expected. +# +# Specifically the relaxed constraints allow: +# +# 1. The inline `