Commit d265408c authored by Stan Hu's avatar Stan Hu

Add missing report-uri to CSP config

This is supported in Rails 5.2, although it may be
deprecated in the future by reports-to.
parent 8d659869
---
title: Add missing report-uri to CSP config
merge_request: 31593
author:
type: fixed
...@@ -5,7 +5,7 @@ module Gitlab ...@@ -5,7 +5,7 @@ module Gitlab
class ConfigLoader class ConfigLoader
DIRECTIVES = %w(base_uri child_src connect_src default_src font_src DIRECTIVES = %w(base_uri child_src connect_src default_src font_src
form_action frame_ancestors frame_src img_src manifest_src form_action frame_ancestors frame_src img_src manifest_src
media_src object_src script_src style_src worker_src).freeze media_src object_src report_uri script_src style_src worker_src).freeze
def self.default_settings_hash def self.default_settings_hash
{ {
......
...@@ -13,7 +13,8 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -13,7 +13,8 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do
child_src: "'self' https://child.example.com", child_src: "'self' https://child.example.com",
default_src: "'self' https://other.example.com", default_src: "'self' https://other.example.com",
script_src: "'self' https://script.exammple.com ", script_src: "'self' https://script.exammple.com ",
worker_src: "data: https://worker.example.com" worker_src: "data: https://worker.example.com",
report_uri: "http://example.com"
} }
} }
end end
...@@ -46,6 +47,7 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do ...@@ -46,6 +47,7 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do
expect(policy.directives['default-src']).to eq(expected_config(:default_src)) expect(policy.directives['default-src']).to eq(expected_config(:default_src))
expect(policy.directives['child-src']).to eq(expected_config(:child_src)) expect(policy.directives['child-src']).to eq(expected_config(:child_src))
expect(policy.directives['worker-src']).to eq(expected_config(:worker_src)) expect(policy.directives['worker-src']).to eq(expected_config(:worker_src))
expect(policy.directives['report-uri']).to eq(expected_config(:report_uri))
end end
it 'ignores malformed policy statements' do it 'ignores malformed policy statements' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment