github-actions[bot]
commented
2 months ago Pull Request Test Coverage Report for Build 10239559906
Details
- 10 of 12 (83.33%) changed or added relevant lines in 2 files are covered.
- No unchanged relevant lines lost coverage.
- Overall coverage increased (+0.03%) to 84.877%
| Changes Missing Coverage | Covered Lines | Changed/Added Lines | % | ||
|---|---|---|---|---|---|
| backend/app/rest/api/rest.go | 9 | 11 | 81.82% | ||
| <!-- | Total: | 10 | 12 | 83.33% | --> |
| Totals | |
|---|---|
| Change from base Build 10172404701: | 0.03% |
| Covered Lines: | 5994 |
| Relevant Lines: | 7062 |
This is a security change. The policies I've added are not ideal but an improvement over lack of policies, and were tested by me for a few months to verify their work.
Content-Security-Policynow restricts resource loading and execution to enhance security:default-src 'none': Disallow all resource loading by default.base-uri 'none': Prevents the use of<base>tag to change the base URL for relative URLs.form-action 'none': Disallows form submissions.connect-src 'self': Restricts the origins that can be connected to (via XHR, WebSockets, etc.) to the same origin.frame-src *: Allow to be embedded on any domain.img-src 'self': Allows images to be loaded only from the same origin. IfimageProxyEnabledis true, allows images from any origin (*).script-src 'self' 'unsafe-inline': Allows scripts to be loaded and executed only from the same origin and allows inline scripts.style-src 'self' 'unsafe-inline': Allows styles to be loaded and applied only from the same origin and allows inline styles.font-src data:: Allows fonts to be loaded from data URIs.object-src 'none': Disallows the use of<object>,<embed>, and<applet>tags.Permissions-Policynow restricts the use of certain browser features which we don't use to enhance user privacy and security:accelerometer=(): Disables the use of the accelerometer sensor.autoplay=(): Disables automatic playback of media.camera=(): Disables the use of the camera.cross-origin-isolated=(): Disallows the page from being treated as cross-origin isolated.display-capture=(): Disables the ability to capture the display.encrypted-media=(): Disables the use of Encrypted Media Extensions .fullscreen=(): Disables the ability to use fullscreen mode.geolocation=(): Disables the use of geolocation.gyroscope=(): Disables the use of the gyroscope sensor.keyboard-map=(): Disables the use of the keyboard map.magnetometer=(): Disables the use of the magnetometer sensor.microphone=(): Disables the use of the microphone.midi=(): Disables the use of the MIDI API.payment=(): Disables the Payment Request API.picture-in-picture=(): Disables the use of Picture-in-Picture mode .publickey-credentials-get=(): Disables the use of the Web Authentication API.screen-wake-lock=(): Disables the ability to prevent the screen from dimming.sync-xhr=(): Disables synchronous XMLHttpRequest.usb=(): Disables the use of the USB API.xr-spatial-tracking=(): Disables the use of spatial tracking in WebXR.clipboard-read=(): Disables the ability to read from the clipboard .clipboard-write=(): Disables the ability to write to the clipboard .gamepad=(): Disables the use of the Gamepad API.hid=(): Disables the use of the Human Interface Device API.idle-detection=(): Disables the ability to detect idle state.interest-cohort=(): Disables the use of interest cohort tracking.serial=(): Disables the use of the Serial API.unload=(): Disables the ability to use thebeforeunloadandunloadevents.window-management=(): Disables the ability to use window management APIs.