Skip to content

G
gitlab-ce
Commit c2ba7d20 authored by Thong Kuah's avatar Thong Kuah
Browse files
Options

Revert "Merge branch 'fix-csp-issue' into 'master'" 

This reverts merge request !62615
parent 35ce121f
Show whitespace changes
Inline Side-by-side
Showing with 2 additions and 39 deletions
app/helpers/gitlab_script_tag_helper.rb
View file @ c2ba7d20
...@@ -21,12 +21,4 @@ module GitlabScriptTagHelper ...@@ -21,12 +21,4 @@ module GitlabScriptTagHelper
super super
end end
def preload_link_tag(source, options = {})
# Chrome requires a nonce, see https://gitlab.com/gitlab-org/gitlab/-/issues/331810#note_584964908
# It's likely to be a browser bug, but we need to work around it anyway
options[:nonce] = content_security_policy_nonce
super
end
end end
lib/gitlab/content_security_policy/config_loader.rb
View file @ c2ba7d20
...@@ -24,7 +24,7 @@ module Gitlab ...@@ -24,7 +24,7 @@ module Gitlab
'media_src' => "'self'", 'media_src' => "'self'",
'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com",
'style_src' => "'self' 'unsafe-inline'", 'style_src' => "'self' 'unsafe-inline'",
'worker_src' => "'self' blob: data:", 'worker_src' => "'self'",
'object_src' => "'none'", 'object_src' => "'none'",
'report_uri' => nil 'report_uri' => nil
} }
...@@ -37,7 +37,6 @@ module Gitlab ...@@ -37,7 +37,6 @@ module Gitlab
allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_webpack_dev_server(settings_hash) if Rails.env.development?
allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
allow_snowplow(settings_hash) if Gitlab::CurrentSettings.snowplow_enabled?
settings_hash settings_hash
end end
...@@ -80,11 +79,6 @@ module Gitlab ...@@ -80,11 +79,6 @@ module Gitlab
append_to_directive(settings_hash, 'script_src', cdn_host) append_to_directive(settings_hash, 'script_src', cdn_host)
append_to_directive(settings_hash, 'style_src', cdn_host) append_to_directive(settings_hash, 'style_src', cdn_host)
append_to_directive(settings_hash, 'font_src', cdn_host)
end
def self.allow_snowplow(settings_hash)
append_to_directive(settings_hash, 'connect_src', Gitlab::CurrentSettings.snowplow_collector_hostname)
end end
def self.append_to_directive(settings_hash, directive, text) def self.append_to_directive(settings_hash, directive, text)
......
spec/helpers/gitlab_script_tag_helper_spec.rb
View file @ c2ba7d20
...@@ -41,11 +41,4 @@ RSpec.describe GitlabScriptTagHelper do ...@@ -41,11 +41,4 @@ RSpec.describe GitlabScriptTagHelper do
expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
end end
end end
describe '#preload_link_tag' do
it 'returns a link tag with a nonce' do
expect(helper.preload_link_tag('https://example.com/script.js').to_s)
.to eq "<link rel=\"preload\" href=\"https://example.com/script.js\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">"
end
end
end end
spec/helpers/webpack_helper_spec.rb
View file @ c2ba7d20
...@@ -15,7 +15,6 @@ RSpec.describe WebpackHelper do ...@@ -15,7 +15,6 @@ RSpec.describe WebpackHelper do
describe '#webpack_preload_asset_tag' do describe '#webpack_preload_asset_tag' do
before do before do
allow(Gitlab::Webpack::Manifest).to receive(:asset_paths).and_return([asset_path]) allow(Gitlab::Webpack::Manifest).to receive(:asset_paths).and_return([asset_path])
allow(helper).to receive(:content_security_policy_nonce).and_return('noncevalue')
end end
it 'preloads the resource by default' do it 'preloads the resource by default' do
...@@ -23,7 +22,7 @@ RSpec.describe WebpackHelper do ...@@ -23,7 +22,7 @@ RSpec.describe WebpackHelper do
output = helper.webpack_preload_asset_tag(source) output = helper.webpack_preload_asset_tag(source)
expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\" nonce=\"noncevalue\">") expect(output).to eq("<link rel=\"preload\" href=\"#{asset_path}\" as=\"script\" type=\"text/javascript\">")
end end
it 'prefetches the resource if explicitly asked' do it 'prefetches the resource if explicitly asked' do
......
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
View file @ c2ba7d20
...@@ -49,21 +49,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -49,21 +49,6 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com") expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")
expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com") expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://example.com")
expect(directives['font_src']).to eq("'self' https://example.com")
end
end
context 'when snowplow is configured' do
before do
stub_application_setting(snowplow_enabled: true)
stub_application_setting(snowplow_collector_hostname: 'snowplow.example.com')
end
it 'adds snowplow to CSP' do
settings = described_class.default_settings_hash
directives = settings['directives']
expect(directives['connect_src']).to eq("'self' snowplow.example.com")
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7