Address Content Security Policy concerns

Moves CSP from the default/global level to the controllers, so the exception gets less risky.

Address Content Security Policy concerns
Moves CSP from the default/global level to the controllers, so the exception gets less risky.
7029aa51 · Axel García · aa00d221 · 7029aa51 · 7029aa51 · 7029aa51
Commit 7029aa51 authored Oct 08, 2021 by Axel García
6 changed files
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -15,6 +15,16 @@ class RegistrationsController < Devise::RegistrationsController

  feature_category :authentication_and_authorization

+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
  def new
    @resource = build_resource
  end

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -55,6 +55,16 @@ class SessionsController < Devise::SessionsController
  CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'
  MAX_FAILED_LOGIN_ATTEMPTS = 5

+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
  def new
    set_minimum_password_length


--- a/app/views/layouts/_one_trust.html.haml
+++ b/app/views/layouts/_one_trust.html.haml
 - if one_trust_enabled?
  <!-- OneTrust -->
  = javascript_include_tag "https://cdn.cookielaw.org/consent/#{extra_config.one_trust_id}/OtAutoBlock.js"
-  %script{ :src => "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", :charset => "UTF-8", :"data-domain-script" => extra_config.one_trust_id, :defer => true, :nonce => true }
-  = javascript_tag nonce: true do
+  %script{ :src => "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", :charset => "UTF-8", :"data-domain-script" => extra_config.one_trust_id, :defer => true, :nonce => content_security_policy_nonce }
+  = javascript_tag nonce: content_security_policy_nonce do
    :plain
      function OptanonWrapper() { }
--- a/ee/app/controllers/trial_registrations_controller.rb
+++ b/ee/app/controllers/trial_registrations_controller.rb
@@ -12,6 +12,16 @@ class TrialRegistrationsController < RegistrationsController
  before_action :check_if_gl_com_or_dev
  before_action :set_redirect_url, only: [:new]

+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
  def new
  end


--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -15,7 +15,7 @@ module Gitlab
        directives = {
          'default_src' => "'self'",
          'base_uri' => "'self'",
-          'connect_src' => "'self' https://cdn.cookielaw.org",
+          'connect_src' => "'self'",
          'font_src' => "'self'",
          'form_action' => "'self' https: http:",
          'frame_ancestors' => "'self'",
@@ -23,7 +23,7 @@ module Gitlab
          'img_src' => "'self' data: blob: http: https:",
          'manifest_src' => "'self'",
          'media_src' => "'self'",
-          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org",
+          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
          'style_src' => "'self' 'unsafe-inline'",
          'worker_src' => "'self' blob: data:",
          'object_src' => "'none'",

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -56,22 +56,22 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
    context 'adds all websocket origins to support Safari' do
      it 'with insecure domain' do
        stub_config_setting(host: 'example.com', https: false)
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com")
+        expect(directives['connect_src']).to eq("'self' ws://example.com")
      end

      it 'with secure domain' do
        stub_config_setting(host: 'example.com', https: true)
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org wss://example.com")
+        expect(directives['connect_src']).to eq("'self' wss://example.com")
      end

      it 'with custom port' do
        stub_config_setting(host: 'example.com', port: '1234')
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com:1234")
+        expect(directives['connect_src']).to eq("'self' ws://example.com:1234")
      end

      it 'with custom port and secure domain' do
        stub_config_setting(host: 'example.com', https: true, port: '1234')
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org wss://example.com:1234")
+        expect(directives['connect_src']).to eq("'self' wss://example.com:1234")
      end
    end

@@ -81,7 +81,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      end

      it 'adds CDN host to CSP' do
-        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://example.com")
+        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
        expect(directives['font_src']).to eq("'self' https://example.com")
      end
@@ -94,7 +94,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      end

      it 'adds sentry path to CSP without user' do
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com dummy://example.com/43")
+        expect(directives['connect_src']).to eq("'self' ws://example.com dummy://example.com/43")
      end
    end