Commit 58608047 authored by Stan Hu's avatar Stan Hu

Merge branch 'add-csp-headers-for-zuora-iframe' into 'master'

Add CSP headers for Zuora iFrame

Closes #196529

See merge request gitlab-org/gitlab!23001
parents 0ca501b8 15f20d46
......@@ -4,6 +4,24 @@ class SubscriptionsController < ApplicationController
layout 'checkout'
skip_before_action :authenticate_user!, only: :new
content_security_policy do |p|
next if p.directives.blank?
next unless Feature.enabled?(:paid_signup_flow)
default_script_src = p.directives['script-src'] || p.directives['default-src']
script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://*.zuora.com']
default_frame_src = p.directives['frame-src'] || p.directives['default-src']
frame_src_values = Array.wrap(default_frame_src) | ["'self'", 'https://*.zuora.com']
default_child_src = p.directives['child-src'] || p.directives['default-src']
child_src_values = Array.wrap(default_child_src) | ["'self'", 'https://*.zuora.com']
p.script_src(*script_src_values)
p.frame_src(*frame_src_values)
p.child_src(*child_src_values)
end
def new
if experiment_enabled?(:paid_signup_flow)
return if current_user
......
# frozen_string_literal: true
require 'spec_helper'
describe 'Subscriptions Content Security Policy' do
subject { response_headers['Content-Security-Policy'] }
let_it_be(:default_csp_values) { "'self' https://some-cdn.test" }
let_it_be(:zuora_url) { 'https://*.zuora.com' }
before do
stub_experiment_for_user(paid_signup_flow: true, signup_flow: true)
stub_request(:get, /.*gitlab_plans.*/).to_return(status: 200, body: "{}")
expect_next_instance_of(SubscriptionsController) do |controller|
expect(controller).to receive(:current_content_security_policy).and_return(csp)
end
sign_in(create(:user))
visit new_subscriptions_path
end
context 'when there is no global CSP config' do
let(:csp) { ActionDispatch::ContentSecurityPolicy.new }
it { is_expected.to be_blank }
end
context 'when a global CSP config exists' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.script_src(*default_csp_values.split)
p.frame_src(*default_csp_values.split)
p.child_src(*default_csp_values.split)
end
end
it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{zuora_url}") }
it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
end
context 'when just a default CSP config exists' do
let(:csp) do
ActionDispatch::ContentSecurityPolicy.new do |p|
p.default_src(*default_csp_values.split)
end
end
it { is_expected.to include("default-src #{default_csp_values}") }
it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{zuora_url}") }
it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment