Merge branch 'rollback-csp' into 'master'

Set CSP back to disabled by default See merge request gitlab-org/gitlab!62961

Merge branch 'rollback-csp' into 'master'
Set CSP back to disabled by default See merge request gitlab-org/gitlab!62961
39a50a66 · Etienne Baqué · ecb4ee16 · 226b5c8d · 39a50a66 · 39a50a66
Commit 39a50a66 authored Jun 03, 2021 by Etienne Baqué
2 changed files
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -9,7 +9,7 @@ module Gitlab

      def self.default_settings_hash
        settings_hash = {
-          'enabled' => true,
+          'enabled' => Rails.env.development? || Rails.env.test?,
          'report_only' => false,
          'directives' => {
            'default_src' => "'self'",

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -20,9 +20,9 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
  end

  describe '.default_settings_hash' do
-    it 'returns defaults for all keys' do
-      settings = described_class.default_settings_hash
+    let(:settings) { described_class.default_settings_hash }

+    it 'returns defaults for all keys' do
      expect(settings['enabled']).to be_truthy
      expect(settings['report_only']).to be_falsey

@@ -38,13 +38,22 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      expect(directives['child_src']).to eq(directives['frame_src'])
    end

+    context 'when in production' do
+      before do
+        allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
+      end
+
+      it 'is disabled' do
+        expect(settings['enabled']).to be_falsey
+      end
+    end
+
    context 'when GITLAB_CDN_HOST is set' do
      before do
        stub_env('GITLAB_CDN_HOST', 'https://example.com')
      end

      it 'adds GITLAB_CDN_HOST to CSP' do
-        settings = described_class.default_settings_hash
        directives = settings['directives']

        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")