diff options
author | Stan Hu <stanhu@gmail.com> | 2019-08-07 11:17:12 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2019-08-07 11:21:08 -0700 |
commit | d265408c26b6d4a6087df032b1928d142534d0a6 (patch) | |
tree | e736852ce97c3709939cc8f1dfef2f95e32392d9 | |
parent | 8d659869e1d8ef4a844ea03890f42cb80f312fa0 (diff) | |
download | gitlab-ce-sh-add-missing-csp-report-uri.tar.gz |
Add missing report-uri to CSP configsh-add-missing-csp-report-uri
This is supported in Rails 5.2, although it may be
deprecated in the future by reports-to.
3 files changed, 9 insertions, 2 deletions
diff --git a/changelogs/unreleased/sh-add-missing-csp-report-uri.yml b/changelogs/unreleased/sh-add-missing-csp-report-uri.yml new file mode 100644 index 00000000000..656eb8e9c37 --- /dev/null +++ b/changelogs/unreleased/sh-add-missing-csp-report-uri.yml @@ -0,0 +1,5 @@ +--- +title: Add missing report-uri to CSP config +merge_request: 31593 +author: +type: fixed diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index b2f3345d33a..ff844645b11 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -5,7 +5,7 @@ module Gitlab class ConfigLoader DIRECTIVES = %w(base_uri child_src connect_src default_src font_src form_action frame_ancestors frame_src img_src manifest_src - media_src object_src script_src style_src worker_src).freeze + media_src object_src report_uri script_src style_src worker_src).freeze def self.default_settings_hash { diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb index e7670c9d523..1d404915617 100644 --- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb +++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb @@ -13,7 +13,8 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do child_src: "'self' https://child.example.com", default_src: "'self' https://other.example.com", script_src: "'self' https://script.exammple.com ", - worker_src: "data: https://worker.example.com" + worker_src: "data: https://worker.example.com", + report_uri: "http://example.com" } } end @@ -46,6 +47,7 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do expect(policy.directives['default-src']).to eq(expected_config(:default_src)) expect(policy.directives['child-src']).to eq(expected_config(:child_src)) expect(policy.directives['worker-src']).to eq(expected_config(:worker_src)) + expect(policy.directives['report-uri']).to eq(expected_config(:report_uri)) end it 'ignores malformed policy statements' do |