Merge branch '337602-remove-jquery-from-jira-connect-app' into 'master'

Remove jQuery CSP headers from Jira Connect App

See merge request gitlab-org/gitlab!72105

app/controllers/jira_connect/subscriptions_controller.rb

@@ -7,8 +7,8 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
     next if p.directives.blank?
 
     # rubocop: disable Lint/PercentStringArray
-    script_src_values = Array.wrap(p.directives['script-src']) | %w('self' https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/)
-    style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline' https://unpkg.com/@atlaskit/)
+    script_src_values = Array.wrap(p.directives['script-src']) | %w('self' https://connect-cdn.atl-paas.net)
+    style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline')
     # rubocop: enable Lint/PercentStringArray
 
     p.frame_ancestors :self, 'https://*.atlassian.net'

spec/features/jira_connect/subscriptions_spec.rb

@@ -40,8 +40,8 @@ RSpec.describe 'Subscriptions Content Security Policy' do
       visit jira_connect_subscriptions_path(jwt: jwt)
 
       is_expected.to include("frame-ancestors 'self' https://*.atlassian.net")
-      is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/")
-      is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline' https://unpkg.com/@atlaskit/")
+      is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net")
+      is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline'")
     end
   end
 end