Merge branch 'safari-worker-src' into 'master'

Fix web worker issue caused by the CSP using Safari in dev mode See merge request gitlab-org/gitlab!72728

Merge branch 'safari-worker-src' into 'master'
Fix web worker issue caused by the CSP using Safari in dev mode See merge request gitlab-org/gitlab!72728
82013c0e · Terri Chu · 39074c9b · 1890efe7 · 82013c0e · 82013c0e
Commit 82013c0e authored Oct 21, 2021 by Terri Chu
2 changed files
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -25,7 +25,7 @@ module Gitlab
          'media_src' => "'self'",
          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
          'style_src' => "'self' 'unsafe-inline'",
-          'worker_src' => "'self' blob: data:",
+          'worker_src' => "#{Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'assets/')} blob: data:",
          'object_src' => "'none'",
          'report_uri' => nil
        }
@@ -39,11 +39,18 @@ module Gitlab
        allow_customersdot(directives) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
        allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn

+        # The follow section contains workarounds to patch Safari's lack of support for CSP Level 3
+        # See https://gitlab.com/gitlab-org/gitlab/-/issues/343579
        # frame-src was deprecated in CSP level 2 in favor of child-src
        # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
        # However Safari seems to read child-src first so we'll just keep both equal
        directives['child_src'] = directives['frame_src']

+        # Safari also doesn't support worker-src and only checks child-src
+        # So for compatibility until it catches up to other browsers we need to
+        # append worker-src's content to child-src
+        directives['child_src'] += " #{directives['worker_src']}"
+
        directives
      end


--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -50,7 +50,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do

      expect(directives.has_key?('report_uri')).to be_truthy
      expect(directives['report_uri']).to be_nil
-      expect(directives['child_src']).to eq(directives['frame_src'])
+      expect(directives['child_src']).to eq("#{directives['frame_src']} #{directives['worker_src']}")
    end

    context 'adds all websocket origins to support Safari' do