Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All resources in Java Jacoco coverage report preview are blocked by CSP #298

Closed
fsgmhoward opened this issue Mar 24, 2021 · 4 comments
Closed

All resources in Java Jacoco coverage report preview are blocked by CSP #298

fsgmhoward opened this issue Mar 24, 2021 · 4 comments
Labels
enhancement good first issue
Milestone
2.10.0

Comments

@fsgmhoward
Copy link

fsgmhoward commented Mar 24, 2021
edited
Loading

Describe the bug
I use Jacoco plugin in gradle to generate the coverage report for JUnit tests. Line highlights works fine but when I preview the report, all style are gone and none of the links are clickable. Using dev tools it shows that all resources were blocked by CSP due to the header "default-src: 'none'" added (by VSCode? at least it is not in the index.html originally).

To Reproduce
Steps to reproduce the behaviour:

  1. Get a project using gradle with jacoco plugin enabled. e.g. this one
  2. Add this to the end of the build.gradle:
jacocoTestReport {
    reports {
        xml.enabled true
        csv.enabled false
        html.destination file("${buildDir}/jacocoHtml")
    }
}
  1. For this extension setting: "coverage-gutters.coverageReportFileName": "build/jacocoHtml/index.html"
  2. Run gradle test. It should generate the report as well.
  3. Preview using this extension

Expected behaviour
A preview report being shown with all styles in and links clickable.

Screenshots

Screenshot for report preview (in vscode):
image

What it should look like in an ordinary browser:
image

Screenshot of dev tools:
(The default-src: 'self' is added by me to index.html manually but it does not seem to work. The original file generated by Jacoco does not have this. The first default-src: 'none' is added by VSCode.)
image

Desktop (please complete the following information):

  • OS: windows
  • Extension Version 2.7.2
  • VSCode Version 1.54.3
@ryanluker
Copy link
Owner

@fsgmhoward Thanks for submitting an issue!
This is odd that we are getting the CSP doubling here 🤔 .
We recently added our own to follow the best practices Microsoft outlines.
https://github.com/ryanluker/vscode-coverage-gutters/pull/290/files#diff-68de02f39c1df4e458757a13079e7dc64684f5f583e5c1300f7fc0f7d5c9af45R38-R47

@fsgmhoward
Copy link
Author

@ryanluker Sorry for the confusion. I edited the text after I submit the issue. The CSP double is because I wanted to try whether adding CSP manually in the html files will work. The original html file does not have any CSP header and the only one added by VSCode is the none one.

So something like this:
image

@ryanluker
Copy link
Owner

@fsgmhoward Thanks for the extra insight, I think we can tinker with the policy to have the default src work for self 🤔 .
We recently implemented a webview helper to assist with this and it should be a pretty easy change to have the display swapped around https://github.com/ryanluker/vscode-coverage-gutters/blob/master/src/extension/webview.ts#L38 .

There might also be ways we can add more to the policy around img-src that might be more correct then modifying the default-src attribute.

@vxdguy vxdguy mentioned this issue Apr 14, 2022
Merged
@ryanluker
Copy link
Owner

Fixed in #363 and will go out in the next release.

@ryanluker ryanluker added this to the 2.10.0 milestone May 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement good first issue
Projects
None yet
Milestone
2.10.0
Development

No branches or pull requests
2 participants
@ryanluker @fsgmhoward