Skip to content

G
gitlab-ce
Commit 32ffd342 authored by Vitaly Slobodin's avatar Vitaly Slobodin Committed by Igor Drozdov
Browse files
Options

Add CustomersDot to frame-src in CSP settings if set 

Add CUSTOMER_PORTAL_URL to iframe-src in development only
parent 8ee19b92
Hide whitespace changes
Inline Side-by-side
Showing with 37 additions and 0 deletions
lib/gitlab/content_security_policy/config_loader.rb
View file @ 32ffd342
...@@ -37,6 +37,7 @@ module Gitlab ...@@ -37,6 +37,7 @@ module Gitlab
allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_webpack_dev_server(settings_hash) if Rails.env.development?
allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
settings_hash settings_hash
end end
...@@ -85,6 +86,12 @@ module Gitlab ...@@ -85,6 +86,12 @@ module Gitlab
def self.append_to_directive(settings_hash, directive, text) def self.append_to_directive(settings_hash, directive, text)
settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip
end end
def self.allow_customersdot(settings_hash)
customersdot_host = ENV['CUSTOMER_PORTAL_URL']
append_to_directive(settings_hash, 'frame_src', customersdot_host)
end
end end
end end
end end
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
View file @ 32ffd342
...@@ -61,6 +61,36 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -61,6 +61,36 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(directives['font_src']).to eq("'self' https://example.com") expect(directives['font_src']).to eq("'self' https://example.com")
end end
end end
context 'when CUSTOMER_PORTAL_URL is set' do
before do
stub_env('CUSTOMER_PORTAL_URL', 'https://customers.example.com')
end
context 'when in production' do
before do
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
end
it 'does not add CUSTOMER_PORTAL_URL to CSP' do
directives = settings['directives']
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com")
end
end
context 'when in development' do
before do
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('development'))
end
it 'adds CUSTOMER_PORTAL_URL to CSP' do
directives = settings['directives']
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://customers.example.com")
end
end
end
end end
describe '#load' do describe '#load' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7