Add OneTrust URL to content_security_policy

91af3ae6 · Axel García · 3edf93fa · 91af3ae6 · 91af3ae6
Commit 91af3ae6 authored Oct 01, 2021 by Axel García
2 changed files
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -15,7 +15,7 @@ module Gitlab
        directives = {
          'default_src' => "'self'",
          'base_uri' => "'self'",
-          'connect_src' => "'self'",
+          'connect_src' => "'self' https://cdn.cookielaw.org",
          'font_src' => "'self'",
          'form_action' => "'self' https: http:",
          'frame_ancestors' => "'self'",
@@ -23,7 +23,7 @@ module Gitlab
          'img_src' => "'self' data: blob: http: https:",
          'manifest_src' => "'self'",
          'media_src' => "'self'",
-          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
+          'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org",
          'style_src' => "'self' 'unsafe-inline'",
          'worker_src' => "'self' blob: data:",
          'object_src' => "'none'",

--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -81,7 +81,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      end

      it 'adds CDN host to CSP' do
-        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
+        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://example.com")
        expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
        expect(directives['font_src']).to eq("'self' https://example.com")
      end
@@ -94,7 +94,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      end

      it 'adds sentry path to CSP without user' do
-        expect(directives['connect_src']).to eq("'self' ws://example.com dummy://example.com/43")
+        expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com dummy://example.com/43")
      end
    end