1 files changed, 50 insertions, 0 deletions

diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb
new file mode 100644
index 00000000000..06fc5b0e190
--- /dev/null
+++ b/spec/requests/content_security_policy_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# The AnonymousController doesn't support setting the CSP
+# This is why an arbitrary test request was chosen instead
+# of testing in application_controller_spec.
+RSpec.describe 'Content Security Policy' do
+  let(:snowplow_host) { 'snowplow.example.com' }
+
+  shared_examples 'snowplow is not in the CSP' do
+    it 'does not add the snowplow collector hostname to the CSP' do
+      get explore_root_url
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Content-Security-Policy']).not_to include(snowplow_host)
+    end
+  end
+
+  describe 'GET #explore' do
+    context 'snowplow is enabled' do
+      before do
+        stub_application_setting(snowplow_enabled: true, snowplow_collector_hostname: snowplow_host)
+      end
+
+      it 'adds the snowplow collector hostname to the CSP' do
+        get explore_root_url
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Content-Security-Policy']).to include(snowplow_host)
+      end
+    end
+
+    context 'snowplow is enabled but host is not configured' do
+      before do
+        stub_application_setting(snowplow_enabled: true)
+      end
+
+      it_behaves_like 'snowplow is not in the CSP'
+    end
+
+    context 'snowplow is disabled' do
+      before do
+        stub_application_setting(snowplow_enabled: false, snowplow_collector_hostname: snowplow_host)
+      end
+
+      it_behaves_like 'snowplow is not in the CSP'
+    end
+  end
+end