Merge branch 'revert-c22637b5' into 'master'

Revert "Merge branch 'fix-csp-issue' into 'master'" See merge request gitlab-org/gitlab!63135

Merge branch 'revert-c22637b5' into 'master'
Revert "Merge branch 'fix-csp-issue' into 'master'" See merge request gitlab-org/gitlab!63135
4dbcd621 · Stan Hu · 4a85d66f · c2ba7d20 · 4dbcd621 · 4dbcd621
Commit 4dbcd621 authored Jun 03, 2021 by Stan Hu
5 changed files
--- a/app/helpers/gitlab_script_tag_helper.rb
+++ b/app/helpers/gitlab_script_tag_helper.rb
@@ -21,12 +21,4 @@ module GitlabScriptTagHelper

    super
  end
-
-  def preload_link_tag(source, options = {})
-    # Chrome requires a nonce, see https://gitlab.com/gitlab-org/gitlab/-/issues/331810#note_584964908
-    # It's likely to be a browser bug, but we need to work around it anyway
-    options[:nonce] = content_security_policy_nonce
-
-    super
-  end
 end
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -24,7 +24,7 @@ module Gitlab
            'media_src' => "'self'",
            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
            'style_src' => "'self' 'unsafe-inline'",
-            'worker_src' => "'self' blob: data:",
+            'worker_src' => "'self'",
            'object_src' => "'none'",
            'report_uri' => nil
          }
@@ -37,7 +37,6 @@ module Gitlab

        allow_webpack_dev_server(settings_hash) if Rails.env.development?
        allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
-        allow_snowplow(settings_hash) if Gitlab::CurrentSettings.snowplow_enabled?

        settings_hash
      end
@@ -80,11 +79,6 @@ module Gitlab

        append_to_directive(settings_hash, 'script_src', cdn_host)
        append_to_directive(settings_hash, 'style_src', cdn_host)
-        append_to_directive(settings_hash, 'font_src', cdn_host)
-      end
-
-      def self.allow_snowplow(settings_hash)
-        append_to_directive(settings_hash, 'connect_src', Gitlab::CurrentSettings.snowplow_collector_hostname)
      end

      def self.append_to_directive(settings_hash, directive, text)

--- a/spec/helpers/gitlab_script_tag_helper_spec.rb
+++ b/spec/helpers/gitlab_script_tag_helper_spec.rb
@@ -41,11 +41,4 @@ RSpec.describe GitlabScriptTagHelper do
      expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
    end
  end
-
-  describe '#preload_link_tag' do
-    it 'returns a link tag with a nonce' do
-      expect(helper.preload_link_tag('https://example.com/script.js').to_s)
-        .to eq "<link rel=\"preload\" href=\"https://example.com/script.js\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">"
-    end
-  end
 end
--- a/spec/helpers/webpack_helper_spec.rb
+++ b/spec/helpers/webpack_helper_spec.rb
@@ -15,7 +15,6 @@ RSpec.describe WebpackHelper do
  describe '#webpack_preload_asset_tag' do
    before do
      allow(Gitlab::Webpack::Manifest).to receive(:asset_paths).and_return([asset_path])
-      allow(helper).to receive(:content_security_policy_nonce).and_return('noncevalue')
    end

    it 'preloads the resource by default' do
@@ -23,7 +22,7 @@ RSpec.describe WebpackHelper do

      output = helper.webpack_preload_asset_tag(source)

-      expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">")
+      expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\">")
    end

    it 'prefetches the resource if explicitly asked' do

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -49,21 +49,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do

        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
-        expect(directives['font_src']).to eq("'self' https://example.com")
-      end
-    end
-
-    context 'when snowplow is configured' do
-      before do
-        stub_application_setting(snowplow_enabled: true)
-        stub_application_setting(snowplow_collector_hostname: 'snowplow.example.com')
-      end
-
-      it 'adds snowplow to CSP' do
-        settings = described_class.default_settings_hash
-        directives = settings['directives']
-
-        expect(directives['connect_src']).to eq("'self' snowplow.example.com")
      end
    end
  end