Address Content Security Policy concerns

Moves CSP from the default/global level to the
controllers, so the exception gets less risky.

app/controllers/registrations_controller.rb

@@ -15,6 +15,16 @@ class RegistrationsController < Devise::RegistrationsController
 
   feature_category :authentication_and_authorization
 
+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
   def new
     @resource = build_resource
   end

app/controllers/sessions_controller.rb

@@ -55,6 +55,16 @@ class SessionsController < Devise::SessionsController
   CAPTCHA_HEADER = 'X-GitLab-Show-Login-Captcha'
   MAX_FAILED_LOGIN_ATTEMPTS = 5
 
+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
   def new
     set_minimum_password_length
 

app/views/layouts/_one_trust.html.haml

 - if one_trust_enabled?
   <!-- OneTrust -->
   = javascript_include_tag "https://cdn.cookielaw.org/consent/#{extra_config.one_trust_id}/OtAutoBlock.js"
-  %script{ :src => "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", :charset => "UTF-8", :"data-domain-script" => extra_config.one_trust_id, :defer => true, :nonce => true }
-  = javascript_tag nonce: true do
+  %script{ :src => "https://cdn.cookielaw.org/scripttemplates/otSDKStub.js", :charset => "UTF-8", :"data-domain-script" => extra_config.one_trust_id, :defer => true, :nonce => content_security_policy_nonce }
+  = javascript_tag nonce: content_security_policy_nonce do
     :plain
       function OptanonWrapper() { }

ee/app/controllers/trial_registrations_controller.rb

@@ -12,6 +12,16 @@ class TrialRegistrationsController < RegistrationsController
   before_action :check_if_gl_com_or_dev
   before_action :set_redirect_url, only: [:new]
 
+  content_security_policy do |policy|
+    next if policy.directives.blank?
+
+    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    policy.script_src(*script_src_values)
+
+    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    policy.connect_src(*connect_src_values)
+  end
+
   def new
   end
 

lib/gitlab/content_security_policy/config_loader.rb

@@ -15,7 +15,7 @@ module Gitlab
         directives = {
           'default_src' => "'self'",
           'base_uri' => "'self'",
-          'connect_src' => "'self' https://cdn.cookielaw.org",
+          'connect_src' => "'self'",
           'font_src' => "'self'",
           'form_action' => "'self' https: http:",
           'frame_ancestors' => "'self'",
@@ -23,7 +23,7 @@ module Gitlab
           'img_src' => "'self' data: blob: http: https:",
           'manifest_src' => "'self'",
           'media_src' => "'self'",
-          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org",
+          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
           'style_src' => "'self' 'unsafe-inline'",
           'worker_src' => "'self' blob: data:",
           'object_src' => "'none'",

spec/lib/gitlab/content_security_policy/config_loader_spec.rb

@@ -56,22 +56,22 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
     context 'adds all websocket origins to support Safari' do
       it 'with insecure domain' do
         stub_config_setting(host: 'example.com', https: false)
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com")
+        expect(directives['connect_src']).to eq("'self' ws://example.com")
       end
 
       it 'with secure domain' do
         stub_config_setting(host: 'example.com', https: true)
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org wss://example.com")
+        expect(directives['connect_src']).to eq("'self' wss://example.com")
       end
 
       it 'with custom port' do
         stub_config_setting(host: 'example.com', port: '1234')
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com:1234")
+        expect(directives['connect_src']).to eq("'self' ws://example.com:1234")
       end
 
       it 'with custom port and secure domain' do
         stub_config_setting(host: 'example.com', https: true, port: '1234')
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org wss://example.com:1234")
+        expect(directives['connect_src']).to eq("'self' wss://example.com:1234")
       end
     end
 
@@ -81,7 +81,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
       end
 
       it 'adds CDN host to CSP' do
-        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://example.com")
+        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
         expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
         expect(directives['font_src']).to eq("'self' https://example.com")
       end
@@ -94,7 +94,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
       end
 
       it 'adds sentry path to CSP without user' do
-        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com dummy://example.com/43")
+        expect(directives['connect_src']).to eq("'self' ws://example.com dummy://example.com/43")
       end
     end