Commit 5b5ba914 authored by Vitali Tatarintev's avatar Vitali Tatarintev

Merge branch 'recaptcha-csp' into 'master'

Fix CSP issues related to captchas

See merge request gitlab-org/gitlab!62849
parents 7f8d95ad c7f10973
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
= link_to _('Forgot your password?'), new_password_path(:user) = link_to _('Forgot your password?'), new_password_path(:user)
%div %div
- if captcha_enabled? || captcha_on_login_required? - if captcha_enabled? || captcha_on_login_required?
= recaptcha_tags = recaptcha_tags nonce: content_security_policy_nonce
.submit-container.move-submit-down .submit-container.move-submit-down
= f.submit _('Sign in'), class: 'gl-button btn btn-confirm', data: { qa_selector: 'sign_in_button' } = f.submit _('Sign in'), class: 'gl-button btn btn-confirm', data: { qa_selector: 'sign_in_button' }
...@@ -9,7 +9,7 @@ ...@@ -9,7 +9,7 @@
.devise-errors .devise-errors
= render 'devise/shared/error_messages', resource: resource = render 'devise/shared/error_messages', resource: resource
- if Gitlab::CurrentSettings.invisible_captcha_enabled - if Gitlab::CurrentSettings.invisible_captcha_enabled
= invisible_captcha = invisible_captcha nonce: true
.name.form-row .name.form-row
.col.form-group .col.form-group
= f.label :first_name, _('First name'), for: 'new_user_first_name', class: 'label-bold' = f.label :first_name, _('First name'), for: 'new_user_first_name', class: 'label-bold'
...@@ -59,7 +59,7 @@ ...@@ -59,7 +59,7 @@
%p.gl-field-hint.text-secondary= s_('SignUp|Minimum length is %{minimum_password_length} characters.') % { minimum_password_length: @minimum_password_length } %p.gl-field-hint.text-secondary= s_('SignUp|Minimum length is %{minimum_password_length} characters.') % { minimum_password_length: @minimum_password_length }
%div %div
- if show_recaptcha_sign_up? - if show_recaptcha_sign_up?
= recaptcha_tags = recaptcha_tags nonce: content_security_policy_nonce
.submit-container .submit-container
= f.submit button_text, class: 'btn gl-button btn-confirm', data: { qa_selector: 'new_user_register_button' } = f.submit button_text, class: 'btn gl-button btn-confirm', data: { qa_selector: 'new_user_register_button' }
= render 'devise/shared/terms_of_service_notice', button_text: button_text = render 'devise/shared/terms_of_service_notice', button_text: button_text
......
...@@ -20,7 +20,7 @@ ...@@ -20,7 +20,7 @@
- if captcha_required? - if captcha_required?
.row.recaptcha .row.recaptcha
.col-sm-4 .col-sm-4
= recaptcha_tags = recaptcha_tags nonce: content_security_policy_nonce
.row .row
.col-sm-12 .col-sm-12
= f.submit _('Create group'), class: "btn gl-button btn-confirm" = f.submit _('Create group'), class: "btn gl-button btn-confirm"
......
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
= hidden_field(resource_name, field, value: value) = hidden_field(resource_name, field, value: value)
= hidden_field_tag(:spam_log_id, spammable.spam_log.id) = hidden_field_tag(:spam_log_id, spammable.spam_log.id)
-# The reCAPTCHA response value will be returned in the 'g-recaptcha-response' field -# The reCAPTCHA response value will be returned in the 'g-recaptcha-response' field
= recaptcha_tags script: script, callback: 'recaptchaDialogCallback' unless Rails.env.test? = recaptcha_tags script: script, callback: 'recaptchaDialogCallback', nonce: content_security_policy_nonce unless Rails.env.test?
-# Fake the 'g-recaptcha-response' field in the test environment, so that the feature spec -# Fake the 'g-recaptcha-response' field in the test environment, so that the feature spec
-# can get to the (mocked) SpamVerdictService check. -# can get to the (mocked) SpamVerdictService check.
= hidden_field_tag('g-recaptcha-response', 'abc123') if Rails.env.test? = hidden_field_tag('g-recaptcha-response', 'abc123') if Rails.env.test?
......
...@@ -18,11 +18,11 @@ module Gitlab ...@@ -18,11 +18,11 @@ module Gitlab
'font_src' => "'self'", 'font_src' => "'self'",
'form_action' => "'self' https: http:", 'form_action' => "'self' https: http:",
'frame_ancestors' => "'self'", 'frame_ancestors' => "'self'",
'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", 'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com",
'img_src' => "'self' data: blob: http: https:", 'img_src' => "'self' data: blob: http: https:",
'manifest_src' => "'self'", 'manifest_src' => "'self'",
'media_src' => "'self'", 'media_src' => "'self'",
'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com", 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
'style_src' => "'self' 'unsafe-inline'", 'style_src' => "'self' 'unsafe-inline'",
'worker_src' => "'self'", 'worker_src' => "'self'",
'object_src' => "'none'", 'object_src' => "'none'",
......
...@@ -47,7 +47,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -47,7 +47,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
settings = described_class.default_settings_hash settings = described_class.default_settings_hash
directives = settings['directives'] directives = settings['directives']
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com https://example.com") expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com") expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment