Commit 5feebcca authored by Bob Van Landuyt's avatar Bob Van Landuyt

Merge branch 'rc/adjust_iframe_csp_for_tracing' into 'master'

Adjust iframe csp for tracing page

See merge request gitlab-org/gitlab!21156
parents 0364dfef 659b641c
# frozen_string_literal: true # frozen_string_literal: true
class Projects::TracingsController < Projects::ApplicationController class Projects::TracingsController < Projects::ApplicationController
content_security_policy do |p|
next if p.directives.blank?
global_frame_src = p.frame_src
p.frame_src -> { frame_src_csp_policy(global_frame_src) }
end
before_action :check_license before_action :check_license
before_action :authorize_update_environment! before_action :authorize_update_environment!
...@@ -12,4 +20,10 @@ class Projects::TracingsController < Projects::ApplicationController ...@@ -12,4 +20,10 @@ class Projects::TracingsController < Projects::ApplicationController
def check_license def check_license
render_404 unless @project.feature_available?(:tracing, current_user) render_404 unless @project.feature_available?(:tracing, current_user)
end end
def frame_src_csp_policy(global_frame_src)
external_url = @project&.tracing_setting&.external_url
external_url.presence || global_frame_src
end
end end
# frozen_string_literal: true
require 'spec_helper'
describe 'Tracings Content Security Policy' do
set(:user) { create(:user) }
let(:project) { create(:project) }
subject { response_headers['Content-Security-Policy'] }
before do
project.add_maintainer(user)
sign_in(user)
end
context 'when there is no global config' do
before do
expect_next_instance_of(Projects::TracingsController) do |controller|
expect(controller).to receive(:current_content_security_policy)
.and_return(ActionDispatch::ContentSecurityPolicy.new)
end
end
it 'does not add CSP directives' do
visit project_tracing_path(project)
is_expected.to be_blank
end
end
context 'when a global CSP config exists' do
before do
csp = ActionDispatch::ContentSecurityPolicy.new do |p|
p.frame_src 'https://global-policy.com'
end
expect_next_instance_of(Projects::TracingsController) do |controller|
expect(controller).to receive(:current_content_security_policy).and_return(csp)
end
end
context 'when external_url is set' do
let!(:project_tracing_setting) { create(:project_tracing_setting, project: project) }
it 'overwrites frame-src' do
visit project_tracing_path(project)
is_expected.to eq("frame-src https://example.com")
end
end
context 'when external_url is not set' do
it 'uses global policy' do
visit project_tracing_path(project)
is_expected.to eq("frame-src https://global-policy.com")
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment