Add CustomersDot to frame-src in CSP settings if set

Add CUSTOMER_PORTAL_URL to iframe-src in development only

Add CustomersDot to frame-src in CSP settings if set
Add CUSTOMER_PORTAL_URL to iframe-src in development only
32ffd342 · Vitaly Slobodin · Igor Drozdov · 8ee19b92 · 32ffd342 · 32ffd342
Commit 32ffd342 authored Jun 30, 2021 by Vitaly Slobodin Committed by Igor Drozdov Jun 30, 2021
2 changed files
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -37,6 +37,7 @@ module Gitlab

        allow_webpack_dev_server(settings_hash) if Rails.env.development?
        allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
+        allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?

        settings_hash
      end
@@ -85,6 +86,12 @@ module Gitlab
      def self.append_to_directive(settings_hash, directive, text)
        settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip
      end
+
+      def self.allow_customersdot(settings_hash)
+        customersdot_host = ENV['CUSTOMER_PORTAL_URL']
+
+        append_to_directive(settings_hash, 'frame_src', customersdot_host)
+      end
    end
  end
 end
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -61,6 +61,36 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
        expect(directives['font_src']).to eq("'self' https://example.com")
      end
    end
+
+    context 'when CUSTOMER_PORTAL_URL is set' do
+      before do
+        stub_env('CUSTOMER_PORTAL_URL', 'https://customers.example.com')
+      end
+
+      context 'when in production' do
+        before do
+          allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
+        end
+
+        it 'does not add CUSTOMER_PORTAL_URL to CSP' do
+          directives = settings['directives']
+
+          expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com")
+        end
+      end
+
+      context 'when in development' do
+        before do
+          allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('development'))
+        end
+
+        it 'adds CUSTOMER_PORTAL_URL to CSP' do
+          directives = settings['directives']
+
+          expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://customers.example.com")
+        end
+      end
+    end
  end

  describe '#load' do