Add onetrust.com to one_trust_csp

75046c3f · Rajendra Kadam · Alper Akgun · 18fc6343 · 75046c3f · 75046c3f
Commit 75046c3f authored Dec 06, 2021 by Rajendra Kadam Committed by Alper Akgun Dec 06, 2021
Showing with 19 additions and 2 deletions

app/controllers/concerns/one_trust_csp.rb app/controllers/concerns/one_trust_csp.rb +2 -2

spec/features/users/one_trust_csp_spec.rb spec/features/users/one_trust_csp_spec.rb +17 -0

No files found.
--- a/app/controllers/concerns/one_trust_csp.rb
+++ b/app/controllers/concerns/one_trust_csp.rb
@@ -8,11 +8,11 @@ module OneTrustCSP
      next unless helpers.one_trust_enabled? || policy.directives.present?

      default_script_src = policy.directives['script-src'] || policy.directives['default-src']
-      script_src_values = Array.wrap(default_script_src) | ["'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
+      script_src_values = Array.wrap(default_script_src) | ["'unsafe-eval'", 'https://cdn.cookielaw.org', 'https://*.onetrust.com']
      policy.script_src(*script_src_values)

      default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
-      connect_src_values = Array.wrap(default_connect_src) | ['https://cdn.cookielaw.org']
+      connect_src_values = Array.wrap(default_connect_src) | ['https://cdn.cookielaw.org', 'https://*.onetrust.com']
      policy.connect_src(*connect_src_values)
    end
  end

--- a/spec/features/users/one_trust_csp_spec.rb
+++ b/spec/features/users/one_trust_csp_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'OneTrust content security policy' do
+  let(:user) { create(:user) }
+
+  before do
+    stub_config(extra: { one_trust_id: SecureRandom.uuid })
+  end
+
+  it 'has proper Content Security Policy headers' do
+    visit root_path
+
+    expect(response_headers['Content-Security-Policy']).to include('https://cdn.cookielaw.org https://*.onetrust.com')
+  end
+end