Commit 5c9fefb0 authored by Jose Ivan Vargas's avatar Jose Ivan Vargas

Merge branch '337602-remove-jquery-from-jira-connect-app' into 'master'

Remove jQuery CSP headers from Jira Connect App

See merge request gitlab-org/gitlab!72105
parents 1d75928a f531c64b
...@@ -7,8 +7,8 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController ...@@ -7,8 +7,8 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
next if p.directives.blank? next if p.directives.blank?
# rubocop: disable Lint/PercentStringArray # rubocop: disable Lint/PercentStringArray
script_src_values = Array.wrap(p.directives['script-src']) | %w('self' https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/) script_src_values = Array.wrap(p.directives['script-src']) | %w('self' https://connect-cdn.atl-paas.net)
style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline' https://unpkg.com/@atlaskit/) style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline')
# rubocop: enable Lint/PercentStringArray # rubocop: enable Lint/PercentStringArray
p.frame_ancestors :self, 'https://*.atlassian.net' p.frame_ancestors :self, 'https://*.atlassian.net'
......
...@@ -40,8 +40,8 @@ RSpec.describe 'Subscriptions Content Security Policy' do ...@@ -40,8 +40,8 @@ RSpec.describe 'Subscriptions Content Security Policy' do
visit jira_connect_subscriptions_path(jwt: jwt) visit jira_connect_subscriptions_path(jwt: jwt)
is_expected.to include("frame-ancestors 'self' https://*.atlassian.net") is_expected.to include("frame-ancestors 'self' https://*.atlassian.net")
is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net https://unpkg.com/jquery@3.3.1/") is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net")
is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline' https://unpkg.com/@atlaskit/") is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline'")
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment