Modify CSP when sentry is configured

1081915a · dcouture · c3be0d38 · 1081915a · 1081915a
Commit 1081915a authored Aug 09, 2021 by dcouture
2 changed files
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -38,6 +38,7 @@ module Gitlab
        allow_webpack_dev_server(settings_hash) if Rails.env.development?
        allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
        allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
+        allow_sentry(settings_hash) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn

        settings_hash
      end
@@ -92,6 +93,14 @@ module Gitlab

        append_to_directive(settings_hash, 'frame_src', customersdot_host)
      end
+
+      def self.allow_sentry(settings_hash)
+        sentry_dsn = Gitlab.config.sentry.clientside_dsn
+        sentry_uri = URI(sentry_dsn)
+        sentry_uri.user = nil
+
+        append_to_directive(settings_hash, 'connect_src', sentry_uri.to_s)
+      end
    end
  end
 end
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -62,6 +62,18 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      end
    end

+    context 'when sentry is configured' do
+      before do
+        stub_sentry_settings
+      end
+
+      it 'adds sentry path to CSP without user' do
+        directives = settings['directives']
+
+        expect(directives['connect_src']).to eq("'self' dummy://example.com/43")
+      end
+    end
+
    context 'when CUSTOMER_PORTAL_URL is set' do
      before do
        stub_env('CUSTOMER_PORTAL_URL', 'https://customers.example.com')