search

ryanluker / vscode-coverage-gutters

Display test coverage generated by lcov and xml - works with many languages
https://marketplace.visualstudio.com/items?itemName=ryanluker.vscode-coverage-gutters
MIT License
460 stars 88 forks source link

All resources in Java Jacoco coverage report preview are blocked by CSP #298

Closed fsgmhoward closed 2 years ago

fsgmhoward commented 3 years ago

Describe the bug I use Jacoco plugin in gradle to generate the coverage report for JUnit tests. Line highlights works fine but when I preview the report, all style are gone and none of the links are clickable. Using dev tools it shows that all resources were blocked by CSP due to the header "default-src: 'none'" added (by VSCode? at least it is not in the index.html originally).

To Reproduce Steps to reproduce the behaviour:

  1. Get a project using gradle with jacoco plugin enabled. e.g. this one
  2. Add this to the end of the build.gradle: 
    jacocoTestReport {
reports {
    xml.enabled true
    csv.enabled false
    html.destination file("${buildDir}/jacocoHtml")
}
}
  3. For this extension setting: "coverage-gutters.coverageReportFileName": "build/jacocoHtml/index.html"
  4. Run gradle test. It should generate the report as well.
  5. Preview using this extension

Expected behaviour A preview report being shown with all styles in and links clickable.

Screenshots

Screenshot for report preview (in vscode): image

What it should look like in an ordinary browser: image

Screenshot of dev tools: (The default-src: 'self' is added by me to index.html manually but it does not seem to work. The original file generated by Jacoco does not have this. The first default-src: 'none' is added by VSCode.) image

Desktop (please complete the following information):

ryanluker commented 3 years ago

@fsgmhoward Thanks for submitting an issue! This is odd that we are getting the CSP doubling here 🤔 . We recently added our own to follow the best practices Microsoft outlines. https://github.com/ryanluker/vscode-coverage-gutters/pull/290/files#diff-68de02f39c1df4e458757a13079e7dc64684f5f583e5c1300f7fc0f7d5c9af45R38-R47

fsgmhoward commented 3 years ago

@ryanluker Sorry for the confusion. I edited the text after I submit the issue. The CSP double is because I wanted to try whether adding CSP manually in the html files will work. The original html file does not have any CSP header and the only one added by VSCode is the none one.

So something like this: image

ryanluker commented 3 years ago

@fsgmhoward Thanks for the extra insight, I think we can tinker with the policy to have the default src work for self 🤔 . We recently implemented a webview helper to assist with this and it should be a pretty easy change to have the display swapped around https://github.com/ryanluker/vscode-coverage-gutters/blob/master/src/extension/webview.ts#L38 .

There might also be ways we can add more to the policy around img-src that might be more correct then modifying the default-src attribute.

ryanluker commented 2 years ago

Fixed in #363 and will go out in the next release.