Commit f3e12343 authored by dcouture's avatar dcouture Committed by Dheeraj Joshi

Fix known issues with the CSP

Add a nonce to link preload tags, allow blob: and data: in worker-src

Changelog: fixed
parent b92abd79
......@@ -21,4 +21,12 @@ module GitlabScriptTagHelper
super
end
def preload_link_tag(source, options = {})
# Chrome requires a nonce, see https://gitlab.com/gitlab-org/gitlab/-/issues/331810#note_584964908
# It's likely to be a browser bug, but we need to work around it anyway
options[:nonce] = content_security_policy_nonce
super
end
end
......@@ -24,7 +24,7 @@ module Gitlab
'media_src' => "'self'",
'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
'style_src' => "'self' 'unsafe-inline'",
'worker_src' => "'self'",
'worker_src' => "'self' blob: data:",
'object_src' => "'none'",
'report_uri' => nil
}
......@@ -79,6 +79,7 @@ module Gitlab
append_to_directive(settings_hash, 'script_src', cdn_host)
append_to_directive(settings_hash, 'style_src', cdn_host)
append_to_directive(settings_hash, 'font_src', cdn_host)
end
def self.append_to_directive(settings_hash, directive, text)
......
......@@ -41,4 +41,11 @@ RSpec.describe GitlabScriptTagHelper do
expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
end
end
describe '#preload_link_tag' do
it 'returns a link tag with a nonce' do
expect(helper.preload_link_tag('https://example.com/script.js').to_s)
.to eq "<link rel=\"preload\" href=\"https://example.com/script.js\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">"
end
end
end
......@@ -15,6 +15,7 @@ RSpec.describe WebpackHelper do
describe '#webpack_preload_asset_tag' do
before do
allow(Gitlab::Webpack::Manifest).to receive(:asset_paths).and_return([asset_path])
allow(helper).to receive(:content_security_policy_nonce).and_return('noncevalue')
end
it 'preloads the resource by default' do
......@@ -22,7 +23,7 @@ RSpec.describe WebpackHelper do
output = helper.webpack_preload_asset_tag(source)
expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\">")
expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">")
end
it 'prefetches the resource if explicitly asked' do
......
......@@ -58,6 +58,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
expect(directives['font_src']).to eq("'self' https://example.com")
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment