From a6aa5683fe224600060701ac35f29d1de1c56a17 Mon Sep 17 00:00:00 2001 From: eugielimpin Date: Wed, 11 Jan 2023 16:18:29 +0800 Subject: [PATCH] Do not add ArkoseLabs URL to the CSP if global config is empty --- .../controllers/concerns/arkose_labs_csp.rb | 2 ++ .../features/users/arkose_labs_csp_spec.rb | 31 +++++++++++++------ 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/ee/app/controllers/concerns/arkose_labs_csp.rb b/ee/app/controllers/concerns/arkose_labs_csp.rb index c78ccbf604d2f4..f1c1d0a5e8e500 100644 --- a/ee/app/controllers/concerns/arkose_labs_csp.rb +++ b/ee/app/controllers/concerns/arkose_labs_csp.rb @@ -5,6 +5,8 @@ module ArkoseLabsCSP included do content_security_policy do |policy| + next unless policy.directives.present? + allow_for_login = self == SessionsController && Feature.enabled?(:arkose_labs_login_challenge) allow_for_signup = self == RegistrationsController && Feature.enabled?(:arkose_labs_signup_challenge) diff --git a/ee/spec/features/users/arkose_labs_csp_spec.rb b/ee/spec/features/users/arkose_labs_csp_spec.rb index 9e6b0916339cbf..76b7628926984e 100644 --- a/ee/spec/features/users/arkose_labs_csp_spec.rb +++ b/ee/spec/features/users/arkose_labs_csp_spec.rb @@ -3,15 +3,15 @@ require 'spec_helper' RSpec.describe 'ArkoseLabs content security policy', feature_category: :authentication_and_authorization do - shared_examples 'configures Content Security Policy headers correctly' do - context 'when feature flag is enabled' do - let(:feature_flag_state) { true } + include ContentSecurityPolicyHelpers - it 'adds ArkoseLabs URL to Content Security Policy headers' do - visit page_path + let(:feature_flag_state) { true } - expect(response_headers['Content-Security-Policy']).to include('https://*.arkoselabs.com') - end + shared_examples 'configures Content Security Policy headers correctly' do |controller_class| + it 'adds ArkoseLabs URL to Content Security Policy headers' do + visit page_path + + expect(response_headers['Content-Security-Policy']).to include('https://*.arkoselabs.com') end context 'when feature flag is disabled' do @@ -23,6 +23,19 @@ expect(response_headers['Content-Security-Policy']).not_to include('https://*.arkoselabs.com') end end + + context 'when there is no global CSP config' do + before do + csp = ActionDispatch::ContentSecurityPolicy.new + setup_csp_for_controller(controller_class, csp, any_time: true) + end + + it 'does not add ArkoseLabs URL to Content Security Policy headers' do + visit page_path + + expect(response_headers['Content-Security-Policy']).to be_blank + end + end end context 'when in login page' do @@ -35,7 +48,7 @@ ) end - it_behaves_like 'configures Content Security Policy headers correctly' + it_behaves_like 'configures Content Security Policy headers correctly', SessionsController end context 'when in registration page' do @@ -48,6 +61,6 @@ ) end - it_behaves_like 'configures Content Security Policy headers correctly' + it_behaves_like 'configures Content Security Policy headers correctly', RegistrationsController end end -- GitLab