Commit df3a9aa8 authored by Igor Drozdov's avatar Igor Drozdov

Merge branch 'vs/add-customersdot-to-csp-framesrc' into 'master'

Add CustomersDot to frame-src in CSP settings if set

See merge request gitlab-org/gitlab!64587
parents e394be7e 32ffd342
...@@ -37,6 +37,7 @@ module Gitlab ...@@ -37,6 +37,7 @@ module Gitlab
allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_webpack_dev_server(settings_hash) if Rails.env.development?
allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
settings_hash settings_hash
end end
...@@ -85,6 +86,12 @@ module Gitlab ...@@ -85,6 +86,12 @@ module Gitlab
def self.append_to_directive(settings_hash, directive, text) def self.append_to_directive(settings_hash, directive, text)
settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip settings_hash['directives'][directive] = "#{settings_hash['directives'][directive]} #{text}".strip
end end
def self.allow_customersdot(settings_hash)
customersdot_host = ENV['CUSTOMER_PORTAL_URL']
append_to_directive(settings_hash, 'frame_src', customersdot_host)
end
end end
end end
end end
...@@ -61,6 +61,36 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -61,6 +61,36 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(directives['font_src']).to eq("'self' https://example.com") expect(directives['font_src']).to eq("'self' https://example.com")
end end
end end
context 'when CUSTOMER_PORTAL_URL is set' do
before do
stub_env('CUSTOMER_PORTAL_URL', 'https://customers.example.com')
end
context 'when in production' do
before do
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
end
it 'does not add CUSTOMER_PORTAL_URL to CSP' do
directives = settings['directives']
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com")
end
end
context 'when in development' do
before do
allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('development'))
end
it 'adds CUSTOMER_PORTAL_URL to CSP' do
directives = settings['directives']
expect(directives['frame_src']).to eq("'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://customers.example.com")
end
end
end
end end
describe '#load' do describe '#load' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment