Merge branch 'fix-csp-issue' into 'master'

Fix known issues with the CSP See merge request gitlab-org/gitlab!62615

Merge branch 'fix-csp-issue' into 'master'
Fix known issues with the CSP See merge request gitlab-org/gitlab!62615
c22637b5 · Heinrich Lee Yu · 788490c2 · c827770c · c22637b5 · c22637b5
Commit c22637b5 authored Jun 03, 2021 by Heinrich Lee Yu
5 changed files
--- a/app/helpers/gitlab_script_tag_helper.rb
+++ b/app/helpers/gitlab_script_tag_helper.rb
@@ -21,4 +21,12 @@ module GitlabScriptTagHelper

    super
  end
+
+  def preload_link_tag(source, options = {})
+    # Chrome requires a nonce, see https://gitlab.com/gitlab-org/gitlab/-/issues/331810#note_584964908
+    # It's likely to be a browser bug, but we need to work around it anyway
+    options[:nonce] = content_security_policy_nonce
+
+    super
+  end
 end
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -24,7 +24,7 @@ module Gitlab
            'media_src' => "'self'",
            'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
            'style_src' => "'self' 'unsafe-inline'",
-            'worker_src' => "'self'",
+            'worker_src' => "'self' blob: data:",
            'object_src' => "'none'",
            'report_uri' => nil
          }
@@ -37,6 +37,7 @@ module Gitlab

        allow_webpack_dev_server(settings_hash) if Rails.env.development?
        allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
+        allow_snowplow(settings_hash) if Gitlab::CurrentSettings.snowplow_enabled?

        settings_hash
      end
@@ -79,6 +80,11 @@ module Gitlab

        append_to_directive(settings_hash, 'script_src', cdn_host)
        append_to_directive(settings_hash, 'style_src', cdn_host)
+        append_to_directive(settings_hash, 'font_src', cdn_host)
+      end
+
+      def self.allow_snowplow(settings_hash)
+        append_to_directive(settings_hash, 'connect_src', Gitlab::CurrentSettings.snowplow_collector_hostname)
      end

      def self.append_to_directive(settings_hash, directive, text)

--- a/spec/helpers/gitlab_script_tag_helper_spec.rb
+++ b/spec/helpers/gitlab_script_tag_helper_spec.rb
@@ -41,4 +41,11 @@ RSpec.describe GitlabScriptTagHelper do
      expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
    end
  end
+
+  describe '#preload_link_tag' do
+    it 'returns a link tag with a nonce' do
+      expect(helper.preload_link_tag('https://example.com/script.js').to_s)
+        .to eq "<link rel=\"preload\" href=\"https://example.com/script.js\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">"
+    end
+  end
 end
--- a/spec/helpers/webpack_helper_spec.rb
+++ b/spec/helpers/webpack_helper_spec.rb
@@ -15,6 +15,7 @@ RSpec.describe WebpackHelper do
  describe '#webpack_preload_asset_tag' do
    before do
      allow(Gitlab::Webpack::Manifest).to receive(:asset_paths).and_return([asset_path])
+      allow(helper).to receive(:content_security_policy_nonce).and_return('noncevalue')
    end

    it 'preloads the resource by default' do
@@ -22,7 +23,7 @@ RSpec.describe WebpackHelper do

      output = helper.webpack_preload_asset_tag(source)

-      expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\">")
+      expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">")
    end

    it 'prefetches the resource if explicitly asked' do

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -49,6 +49,21 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do

        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
+        expect(directives['font_src']).to eq("'self' https://example.com")
+      end
+    end
+
+    context 'when snowplow is configured' do
+      before do
+        stub_application_setting(snowplow_enabled: true)
+        stub_application_setting(snowplow_collector_hostname: 'snowplow.example.com')
+      end
+
+      it 'adds snowplow to CSP' do
+        settings = described_class.default_settings_hash
+        directives = settings['directives']
+
+        expect(directives['connect_src']).to eq("'self' snowplow.example.com")
      end
    end
  end