Commit 1890efe7 authored by Dominic Couture's avatar Dominic Couture Committed by Terri Chu

Fix issue with CSP using Safari in dev mode

Safari doesn't support worker-src and
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/71345
caused issues with web worker in Safari

Changelog: fixed
parent b413ea7b
...@@ -25,7 +25,7 @@ module Gitlab ...@@ -25,7 +25,7 @@ module Gitlab
'media_src' => "'self'", 'media_src' => "'self'",
'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
'style_src' => "'self' 'unsafe-inline'", 'style_src' => "'self' 'unsafe-inline'",
'worker_src' => "'self' blob: data:", 'worker_src' => "#{Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'assets/')} blob: data:",
'object_src' => "'none'", 'object_src' => "'none'",
'report_uri' => nil 'report_uri' => nil
} }
...@@ -39,11 +39,18 @@ module Gitlab ...@@ -39,11 +39,18 @@ module Gitlab
allow_customersdot(directives) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present? allow_customersdot(directives) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn
# The follow section contains workarounds to patch Safari's lack of support for CSP Level 3
# See https://gitlab.com/gitlab-org/gitlab/-/issues/343579
# frame-src was deprecated in CSP level 2 in favor of child-src # frame-src was deprecated in CSP level 2 in favor of child-src
# CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
# However Safari seems to read child-src first so we'll just keep both equal # However Safari seems to read child-src first so we'll just keep both equal
directives['child_src'] = directives['frame_src'] directives['child_src'] = directives['frame_src']
# Safari also doesn't support worker-src and only checks child-src
# So for compatibility until it catches up to other browsers we need to
# append worker-src's content to child-src
directives['child_src'] += " #{directives['worker_src']}"
directives directives
end end
......
...@@ -50,7 +50,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -50,7 +50,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(directives.has_key?('report_uri')).to be_truthy expect(directives.has_key?('report_uri')).to be_truthy
expect(directives['report_uri']).to be_nil expect(directives['report_uri']).to be_nil
expect(directives['child_src']).to eq(directives['frame_src']) expect(directives['child_src']).to eq("#{directives['frame_src']} #{directives['worker_src']}")
end end
context 'adds all websocket origins to support Safari' do context 'adds all websocket origins to support Safari' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment