Merge branch 'sh-add-missing-csp-report-uri' into 'master'

Add missing report-uri to CSP config See merge request gitlab-org/gitlab-ce!31593
author: Mayra Cabrera <mcabrera@gitlab.com> 2019-08-07 21:07:06 +0000
committer: Mayra Cabrera <mcabrera@gitlab.com> 2019-08-07 21:07:06 +0000
commit: eec1ed522d4103ee7d347c305f1021db33173def (patch)
tree: 85100e65d3f3e6323652c1990b3c3b1e21a925fc
parent: 4035e1391d65d70228426012618e7c4188c55e18 (diff)
parent: d265408c26b6d4a6087df032b1928d142534d0a6 (diff)
download: gitlab-ce-eec1ed522d4103ee7d347c305f1021db33173def.tar.gz
3 files changed, 9 insertions, 2 deletions
diff --git a/changelogs/unreleased/sh-add-missing-csp-report-uri.yml b/changelogs/unreleased/sh-add-missing-csp-report-uri.yml
new file mode 100644
index 00000000000..656eb8e9c37
--- /dev/null
+++ b/changelogs/unreleased/sh-add-missing-csp-report-uri.yml
@@ -0,0 +1,5 @@
+---
+title: Add missing report-uri to CSP config
+merge_request: 31593
+author:
+type: fixed
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index b2f3345d33a..ff844645b11 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -5,7 +5,7 @@ module Gitlab
     class ConfigLoader
       DIRECTIVES = %w(base_uri child_src connect_src default_src font_src
                       form_action frame_ancestors frame_src img_src manifest_src
-                      media_src object_src script_src style_src worker_src).freeze
+                      media_src object_src report_uri script_src style_src worker_src).freeze
 
       def self.default_settings_hash
         {
diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
index e7670c9d523..1d404915617 100644
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -13,7 +13,8 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do
         child_src: "'self' https://child.example.com",
         default_src: "'self' https://other.example.com",
         script_src: "'self'  https://script.exammple.com ",
-        worker_src: "data:  https://worker.example.com"
+        worker_src: "data:  https://worker.example.com",
+        report_uri: "http://example.com"
       }
     }
   end
@@ -46,6 +47,7 @@ describe Gitlab::ContentSecurityPolicy::ConfigLoader do
       expect(policy.directives['default-src']).to eq(expected_config(:default_src))
       expect(policy.directives['child-src']).to eq(expected_config(:child_src))
       expect(policy.directives['worker-src']).to eq(expected_config(:worker_src))
+      expect(policy.directives['report-uri']).to eq(expected_config(:report_uri))
     end
 
     it 'ignores malformed policy statements' do
author	Mayra Cabrera <mcabrera@gitlab.com>	2019-08-07 21:07:06 +0000
committer	Mayra Cabrera <mcabrera@gitlab.com>	2019-08-07 21:07:06 +0000
commit	eec1ed522d4103ee7d347c305f1021db33173def (patch)
tree	85100e65d3f3e6323652c1990b3c3b1e21a925fc
parent	4035e1391d65d70228426012618e7c4188c55e18 (diff)
parent	d265408c26b6d4a6087df032b1928d142534d0a6 (diff)
download	gitlab-ce-eec1ed522d4103ee7d347c305f1021db33173def.tar.gz