Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
15f20d46
Commit
15f20d46
authored
Jan 14, 2020
by
Alex Buijs
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add CSP headers for Zuora iFrame
parent
e3fae047
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
75 additions
and
0 deletions
+75
-0
ee/app/controllers/subscriptions_controller.rb
ee/app/controllers/subscriptions_controller.rb
+18
-0
ee/spec/features/subscriptions_spec.rb
ee/spec/features/subscriptions_spec.rb
+57
-0
No files found.
ee/app/controllers/subscriptions_controller.rb
View file @
15f20d46
...
@@ -4,6 +4,24 @@ class SubscriptionsController < ApplicationController
...
@@ -4,6 +4,24 @@ class SubscriptionsController < ApplicationController
layout
'checkout'
layout
'checkout'
skip_before_action
:authenticate_user!
,
only: :new
skip_before_action
:authenticate_user!
,
only: :new
content_security_policy
do
|
p
|
next
if
p
.
directives
.
blank?
next
unless
Feature
.
enabled?
(
:paid_signup_flow
)
default_script_src
=
p
.
directives
[
'script-src'
]
||
p
.
directives
[
'default-src'
]
script_src_values
=
Array
.
wrap
(
default_script_src
)
|
[
"'self'"
,
"'unsafe-eval'"
,
'https://*.zuora.com'
]
default_frame_src
=
p
.
directives
[
'frame-src'
]
||
p
.
directives
[
'default-src'
]
frame_src_values
=
Array
.
wrap
(
default_frame_src
)
|
[
"'self'"
,
'https://*.zuora.com'
]
default_child_src
=
p
.
directives
[
'child-src'
]
||
p
.
directives
[
'default-src'
]
child_src_values
=
Array
.
wrap
(
default_child_src
)
|
[
"'self'"
,
'https://*.zuora.com'
]
p
.
script_src
(
*
script_src_values
)
p
.
frame_src
(
*
frame_src_values
)
p
.
child_src
(
*
child_src_values
)
end
def
new
def
new
if
experiment_enabled?
(
:paid_signup_flow
)
if
experiment_enabled?
(
:paid_signup_flow
)
return
if
current_user
return
if
current_user
...
...
ee/spec/features/subscriptions_spec.rb
0 → 100644
View file @
15f20d46
# frozen_string_literal: true
require
'spec_helper'
describe
'Subscriptions Content Security Policy'
do
subject
{
response_headers
[
'Content-Security-Policy'
]
}
let_it_be
(
:default_csp_values
)
{
"'self' https://some-cdn.test"
}
let_it_be
(
:zuora_url
)
{
'https://*.zuora.com'
}
before
do
stub_experiment_for_user
(
paid_signup_flow:
true
,
signup_flow:
true
)
stub_request
(
:get
,
/.*gitlab_plans.*/
).
to_return
(
status:
200
,
body:
"{}"
)
expect_next_instance_of
(
SubscriptionsController
)
do
|
controller
|
expect
(
controller
).
to
receive
(
:current_content_security_policy
).
and_return
(
csp
)
end
sign_in
(
create
(
:user
))
visit
new_subscriptions_path
end
context
'when there is no global CSP config'
do
let
(
:csp
)
{
ActionDispatch
::
ContentSecurityPolicy
.
new
}
it
{
is_expected
.
to
be_blank
}
end
context
'when a global CSP config exists'
do
let
(
:csp
)
do
ActionDispatch
::
ContentSecurityPolicy
.
new
do
|
p
|
p
.
script_src
(
*
default_csp_values
.
split
)
p
.
frame_src
(
*
default_csp_values
.
split
)
p
.
child_src
(
*
default_csp_values
.
split
)
end
end
it
{
is_expected
.
to
include
(
"script-src
#{
default_csp_values
}
'unsafe-eval'
#{
zuora_url
}
"
)
}
it
{
is_expected
.
to
include
(
"frame-src
#{
default_csp_values
}
#{
zuora_url
}
"
)
}
it
{
is_expected
.
to
include
(
"child-src
#{
default_csp_values
}
#{
zuora_url
}
"
)
}
end
context
'when just a default CSP config exists'
do
let
(
:csp
)
do
ActionDispatch
::
ContentSecurityPolicy
.
new
do
|
p
|
p
.
default_src
(
*
default_csp_values
.
split
)
end
end
it
{
is_expected
.
to
include
(
"default-src
#{
default_csp_values
}
"
)
}
it
{
is_expected
.
to
include
(
"script-src
#{
default_csp_values
}
'unsafe-eval'
#{
zuora_url
}
"
)
}
it
{
is_expected
.
to
include
(
"frame-src
#{
default_csp_values
}
#{
zuora_url
}
"
)
}
it
{
is_expected
.
to
include
(
"child-src
#{
default_csp_values
}
#{
zuora_url
}
"
)
}
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment