Configure CSP for displaying Youtube videos in the Static Site Editor

Closes: https://gitlab.com/gitlab-org/gitlab/-/issues/270106

Configure CSP for displaying Youtube videos in the Static Site Editor
Closes: https://gitlab.com/gitlab-org/gitlab/-/issues/270106
29146003 · Vasilii Iakliushin · 416ec57b · 29146003 · 29146003 · 29146003
Commit 29146003 authored Oct 21, 2020 by Vasilii Iakliushin
3 changed files
--- a/app/controllers/projects/static_site_editor_controller.rb
+++ b/app/controllers/projects/static_site_editor_controller.rb
@@ -6,6 +6,13 @@ class Projects::StaticSiteEditorController < Projects::ApplicationController

  layout 'fullscreen'

+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    frame_src_values = Array.wrap(policy.directives['frame-src']) | ['https://www.youtube.com']
+    policy.frame_src(*frame_src_values)
+  end
+
  prepend_before_action :authenticate_user!, only: [:show]
  before_action :assign_ref_and_path, only: [:show]
  before_action :authorize_edit_tree!, only: [:show]

--- a/changelogs/unreleased/270106_enable_csp_for_sse.yml
+++ b/changelogs/unreleased/270106_enable_csp_for_sse.yml
+---
+title: Configure CSP for displaying Youtube videos in the Static Site Editor
+merge_request: 45767
+author:
+type: fixed
--- a/spec/features/static_site_editor_spec.rb
+++ b/spec/features/static_site_editor_spec.rb
@@ -73,4 +73,44 @@ RSpec.describe 'Static Site Editor' do
      expect(node['data-static-site-generator']).to eq('middleman')
    end
  end
+
+  describe 'Static Site Editor Content Security Policy' do
+    subject { response_headers['Content-Security-Policy'] }
+
+    context 'when no global CSP config exists' do
+      before do
+        expect_next_instance_of(Projects::StaticSiteEditorController) do |controller|
+          expect(controller).to receive(:current_content_security_policy)
+            .and_return(ActionDispatch::ContentSecurityPolicy.new)
+        end
+      end
+
+      it 'does not add CSP directives' do
+        visit sse_path
+
+        is_expected.to be_blank
+      end
+    end
+
+    context 'when a global CSP config exists' do
+      let_it_be(:cdn_url) { 'https://some-cdn.test' }
+      let_it_be(:youtube_url) { 'https://www.youtube.com' }
+
+      before do
+        csp = ActionDispatch::ContentSecurityPolicy.new do |p|
+          p.frame_src :self, cdn_url
+        end
+
+        expect_next_instance_of(Projects::StaticSiteEditorController) do |controller|
+          expect(controller).to receive(:current_content_security_policy).and_return(csp)
+        end
+      end
+
+      it 'appends youtube to the CSP frame-src policy' do
+        visit sse_path
+
+        is_expected.to eql("frame-src 'self' #{cdn_url} #{youtube_url}")
+      end
+    end
+  end
 end