Commit 91af3ae6 authored by Axel García's avatar Axel García

Add OneTrust URL to content_security_policy

parent 3edf93fa
...@@ -15,7 +15,7 @@ module Gitlab ...@@ -15,7 +15,7 @@ module Gitlab
directives = { directives = {
'default_src' => "'self'", 'default_src' => "'self'",
'base_uri' => "'self'", 'base_uri' => "'self'",
'connect_src' => "'self'", 'connect_src' => "'self' https://cdn.cookielaw.org",
'font_src' => "'self'", 'font_src' => "'self'",
'form_action' => "'self' https: http:", 'form_action' => "'self' https: http:",
'frame_ancestors' => "'self'", 'frame_ancestors' => "'self'",
...@@ -23,7 +23,7 @@ module Gitlab ...@@ -23,7 +23,7 @@ module Gitlab
'img_src' => "'self' data: blob: http: https:", 'img_src' => "'self' data: blob: http: https:",
'manifest_src' => "'self'", 'manifest_src' => "'self'",
'media_src' => "'self'", 'media_src' => "'self'",
'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org",
'style_src' => "'self' 'unsafe-inline'", 'style_src' => "'self' 'unsafe-inline'",
'worker_src' => "'self' blob: data:", 'worker_src' => "'self' blob: data:",
'object_src' => "'none'", 'object_src' => "'none'",
......
...@@ -81,7 +81,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -81,7 +81,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
it 'adds CDN host to CSP' do it 'adds CDN host to CSP' do
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com") expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.cookielaw.org https://example.com")
expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com") expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
expect(directives['font_src']).to eq("'self' https://example.com") expect(directives['font_src']).to eq("'self' https://example.com")
end end
...@@ -94,7 +94,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -94,7 +94,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end end
it 'adds sentry path to CSP without user' do it 'adds sentry path to CSP without user' do
expect(directives['connect_src']).to eq("'self' ws://example.com dummy://example.com/43") expect(directives['connect_src']).to eq("'self' https://cdn.cookielaw.org ws://example.com dummy://example.com/43")
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment