Commit 7af59b1d authored by Max Woolf's avatar Max Woolf

Merge branch 'fix-safari-child-src' into 'master'

Fix issue with frames not loading in Safari

See merge request gitlab-org/gitlab!62421
parents 9ea42ff2 5341e159
...@@ -14,7 +14,6 @@ module Gitlab ...@@ -14,7 +14,6 @@ module Gitlab
'directives' => { 'directives' => {
'default_src' => "'self'", 'default_src' => "'self'",
'base_uri' => "'self'", 'base_uri' => "'self'",
'child_src' => "'none'",
'connect_src' => "'self'", 'connect_src' => "'self'",
'font_src' => "'self'", 'font_src' => "'self'",
'form_action' => "'self' https: http:", 'form_action' => "'self' https: http:",
...@@ -31,6 +30,11 @@ module Gitlab ...@@ -31,6 +30,11 @@ module Gitlab
} }
} }
# frame-src was deprecated in CSP level 2 in favor of child-src
# CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing
# However Safari seems to read child-src first so we'll just keep both equal
settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src']
allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_webpack_dev_server(settings_hash) if Rails.env.development?
allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
......
...@@ -35,6 +35,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -35,6 +35,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(directives.has_key?('report_uri')).to be_truthy expect(directives.has_key?('report_uri')).to be_truthy
expect(directives['report_uri']).to be_nil expect(directives['report_uri']).to be_nil
expect(directives['child_src']).to eq(directives['frame_src'])
end end
context 'when GITLAB_CDN_HOST is set' do context 'when GITLAB_CDN_HOST is set' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment