Fix known issues with the CSP

Add a nonce to link preload tags, allow blob: and data: in worker-src Changelog: fixed

Fix known issues with the CSP
Add a nonce to link preload tags, allow blob: and data: in worker-src Changelog: fixed
f3e12343 · dcouture · Dheeraj Joshi · b92abd79 · f3e12343 · f3e12343
Commit f3e12343 authored May 26, 2021 by dcouture Committed by Dheeraj Joshi Jun 03, 2021
5 changed files
--- a/app/helpers/gitlab_script_tag_helper.rb
+++ b/app/helpers/gitlab_script_tag_helper.rb
@@ -21,4 +21,12 @@ module GitlabScriptTagHelper
    super
  end
+  def preload_link_tag(source, options = {})
+    # Chrome requires a nonce, see https://gitlab.com/gitlab-org/gitlab/-/issues/331810#note_584964908
+    # It's likely to be a browser bug, but we need to work around it anyway
+    options[:nonce] = content_security_policy_nonce
+    super
+  end
 end
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -24,7 +24,7 @@ module Gitlab
            'media_src' => "'self'",
            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
            'style_src' => "'self' 'unsafe-inline'",
-            'worker_src' => "'self'",
+            'worker_src' => "'self' blob: data:",
            'object_src' => "'none'",
            'report_uri' => nil
          }
@@ -79,6 +79,7 @@ module Gitlab
        append_to_directive(settings_hash, 'script_src', cdn_host)
        append_to_directive(settings_hash, 'style_src', cdn_host)
+        append_to_directive(settings_hash, 'font_src', cdn_host)
      end
      def self.append_to_directive(settings_hash, directive, text)

--- a/spec/helpers/gitlab_script_tag_helper_spec.rb
+++ b/spec/helpers/gitlab_script_tag_helper_spec.rb
@@ -41,4 +41,11 @@ RSpec.describe GitlabScriptTagHelper do
      expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
    end
  end
+  describe '#preload_link_tag' do
+    it 'returns a link tag with a nonce' do
+      expect(helper.preload_link_tag('https://example.com/script.js').to_s)
+        .to eq "<link rel=\"preload\" href=\"https://example.com/script.js\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">"
+    end
+  end
 end
--- a/spec/helpers/webpack_helper_spec.rb
+++ b/spec/helpers/webpack_helper_spec.rb
@@ -15,6 +15,7 @@ RSpec.describe WebpackHelper do
  describe '#webpack_preload_asset_tag' do
    before do
      allow(Gitlab::Webpack::Manifest).to receive(:asset_paths).and_return([asset_path])
+      allow(helper).to receive(:content_security_policy_nonce).and_return('noncevalue')
    end
    it 'preloads the resource by default' do
@@ -22,7 +23,7 @@ RSpec.describe WebpackHelper do
      output = helper.webpack_preload_asset_tag(source)
-      expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\">")
+      expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">")
    end
    it 'prefetches the resource if explicitly asked' do

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -58,6 +58,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
+        expect(directives['font_src']).to eq("'self' https://example.com")
      end
    end
  end