Merge branch 'dcouture-customers-dot-csp' into 'master'

Add customers-dot URL to CSP not only in dev See merge request gitlab-org/gitlab!84396

Merge branch 'dcouture-customers-dot-csp' into 'master'
Add customers-dot URL to CSP not only in dev See merge request gitlab-org/gitlab!84396
abc0d02c · Matthias Käppler · ae8971da · 6d485027 · abc0d02c · abc0d02c
Commit abc0d02c authored Apr 07, 2022 by Matthias Käppler
2 changed files
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -37,13 +37,13 @@ module Gitlab
          allow_webpack_dev_server(directives)
          allow_letter_opener(directives)
          allow_snowplow_micro(directives) if Gitlab::Tracking.snowplow_micro_enabled?
-          allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present?
        end

        allow_websocket_connections(directives)
        allow_cdn(directives, Settings.gitlab.cdn_host) if Settings.gitlab.cdn_host.present?
        allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn
        allow_framed_gitlab_paths(directives)
+        allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present?

        # The follow section contains workarounds to patch Safari's lack of support for CSP Level 3
        # See https://gitlab.com/gitlab-org/gitlab/-/issues/343579

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -107,24 +107,8 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
        stub_env('CUSTOMER_PORTAL_URL', customer_portal_url)
      end

-      context 'when in production' do
-        before do
-          allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('production'))
-        end
-
-        it 'does not add CUSTOMER_PORTAL_URL to CSP' do
-          expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html http://localhost/-/sandbox/mermaid")
-        end
-      end
-
-      context 'when in development' do
-        before do
-          allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new('development'))
-        end
-
-        it 'adds CUSTOMER_PORTAL_URL to CSP' do
-          expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/rails/letter_opener/ https://customers.example.com http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html http://localhost/-/sandbox/mermaid")
-        end
+      it 'adds CUSTOMER_PORTAL_URL to CSP' do
+        expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html http://localhost/-/sandbox/mermaid #{customer_portal_url}")
      end
    end