Update CSP directives to work with Google Analytics 4 in SaaS

227a0e3b · Tyler Williams · Alexandru Croitor · cd8e9a0e · 227a0e3b · 227a0e3b
Commit 227a0e3b authored 2 years ago by Tyler Williams Committed by Alexandru Croitor 2 years ago
--- a/app/controllers/concerns/google_analytics_csp.rb
+++ b/app/controllers/concerns/google_analytics_csp.rb
+# frozen_string_literal: true
+
+module GoogleAnalyticsCSP
+  extend ActiveSupport::Concern
+
+  included do
+    content_security_policy do |policy|
+      next unless helpers.google_tag_manager_enabled? || policy.directives.present?
+
+      default_script_src = policy.directives['script-src'] || policy.directives['default-src']
+      script_src_values = Array.wrap(default_script_src) | ['*.googletagmanager.com']
+      policy.script_src(*script_src_values)
+
+      default_img_src = policy.directives['img-src'] || policy.directives['default-src']
+      img_src_values = Array.wrap(default_img_src) | ['*.google-analytics.com', '*.googletagmanager.com']
+      policy.img_src(*img_src_values)
+
+      default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+      connect_src_values =
+        Array.wrap(default_connect_src) | ['*.google-analytics.com', '*.analytics.google.com', '*.googletagmanager.com']
+      policy.connect_src(*connect_src_values)
+    end
+  end
+end
--- a/app/controllers/confirmations_controller.rb
+++ b/app/controllers/confirmations_controller.rb
@@ -4,6 +4,7 @@ class ConfirmationsController < Devise::ConfirmationsController
  include AcceptsPendingInvitations
  include GitlabRecaptcha
  include OneTrustCSP
+  include GoogleAnalyticsCSP

  prepend_before_action :check_recaptcha, only: :create
  before_action :load_recaptcha, only: :new

--- a/app/controllers/registrations/welcome_controller.rb
+++ b/app/controllers/registrations/welcome_controller.rb
@@ -3,6 +3,7 @@
 module Registrations
  class WelcomeController < ApplicationController
    include OneTrustCSP
+    include GoogleAnalyticsCSP

    layout 'minimal'
    skip_before_action :authenticate_user!, :required_signup_info, :check_two_factor_requirement, only: [:show, :update]

--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -7,6 +7,7 @@ class RegistrationsController < Devise::RegistrationsController
  include InvisibleCaptchaOnSignup
  include OneTrustCSP
  include BizibleCSP
+  include GoogleAnalyticsCSP

  layout 'devise'


--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -12,6 +12,7 @@ class SessionsController < Devise::SessionsController
  include OneTrustCSP
  include BizibleCSP
  include VerifiesWithEmail
+  include GoogleAnalyticsCSP

  skip_before_action :check_two_factor_requirement, only: [:destroy]
  skip_before_action :check_password_expiration, only: [:destroy]

--- a/app/controllers/users/terms_controller.rb
+++ b/app/controllers/users/terms_controller.rb
@@ -4,6 +4,7 @@ module Users
  class TermsController < ApplicationController
    include InternalRedirect
    include OneTrustCSP
+    include GoogleAnalyticsCSP

    skip_before_action :authenticate_user!, only: [:index]
    skip_before_action :enforce_terms!

--- a/ee/app/controllers/ee/registrations/welcome_controller.rb
+++ b/ee/app/controllers/ee/registrations/welcome_controller.rb
@@ -11,6 +11,7 @@ module WelcomeController

      prepended do
        include OneTrustCSP
+        include GoogleAnalyticsCSP

        before_action :authorized_for_trial_onboarding!,
                      only: [

--- a/ee/app/controllers/groups/usage_quotas_controller.rb
+++ b/ee/app/controllers/groups/usage_quotas_controller.rb
@@ -2,6 +2,7 @@

 class Groups::UsageQuotasController < Groups::ApplicationController
  include OneTrustCSP
+  include GoogleAnalyticsCSP
  include GitlabSubscriptions::SeatCountAlert

  before_action :authorize_admin_group!

--- a/ee/app/controllers/profiles/usage_quotas_controller.rb
+++ b/ee/app/controllers/profiles/usage_quotas_controller.rb
@@ -2,6 +2,7 @@

 class Profiles::UsageQuotasController < Profiles::ApplicationController
  include OneTrustCSP
+  include GoogleAnalyticsCSP

  feature_category :purchase
  urgency :low

--- a/ee/app/controllers/registrations/groups_controller.rb
+++ b/ee/app/controllers/registrations/groups_controller.rb
@@ -6,6 +6,7 @@ class GroupsController < ApplicationController
    include Registrations::ApplyTrial
    include ::Gitlab::Utils::StrongMemoize
    include OneTrustCSP
+    include GoogleAnalyticsCSP

    layout 'minimal'


--- a/ee/app/controllers/registrations/groups_projects_controller.rb
+++ b/ee/app/controllers/registrations/groups_projects_controller.rb
@@ -6,6 +6,7 @@ class GroupsProjectsController < ApplicationController
    include Registrations::CreateGroup
    include Registrations::ApplyTrial
    include OneTrustCSP
+    include GoogleAnalyticsCSP

    skip_before_action :require_verification, only: :new
    before_action :set_requires_verification, only: :new, if: -> { helpers.require_verification_experiment.candidate? }

--- a/ee/app/controllers/registrations/projects_controller.rb
+++ b/ee/app/controllers/registrations/projects_controller.rb
@@ -4,6 +4,7 @@ module Registrations
  class ProjectsController < ApplicationController
    include Registrations::CreateProject
    include OneTrustCSP
+    include GoogleAnalyticsCSP

    layout 'minimal'


--- a/ee/app/controllers/subscriptions_controller.rb
+++ b/ee/app/controllers/subscriptions_controller.rb
@@ -6,6 +6,7 @@ class SubscriptionsController < ApplicationController
  include InternalRedirect
  include OneTrustCSP
  include ZuoraCSP
+  include GoogleAnalyticsCSP

  layout 'minimal'
  skip_before_action :authenticate_user!, only: [:new]

--- a/ee/app/controllers/trial_registrations_controller.rb
+++ b/ee/app/controllers/trial_registrations_controller.rb
@@ -5,6 +5,7 @@
 class TrialRegistrationsController < RegistrationsController
  include OneTrustCSP
  include BizibleCSP
+  include GoogleAnalyticsCSP

  layout 'minimal'


--- a/ee/app/controllers/trials_controller.rb
+++ b/ee/app/controllers/trials_controller.rb
@@ -5,6 +5,7 @@
 class TrialsController < ApplicationController
  include ActionView::Helpers::SanitizeHelper
  include OneTrustCSP
+  include GoogleAnalyticsCSP

  layout 'minimal'


--- a/ee/spec/features/subscriptions_spec.rb
+++ b/ee/spec/features/subscriptions_spec.rb
@@ -11,11 +11,14 @@
  let_it_be(:zuora_url) { 'https://*.zuora.com' }
  let_it_be(:onetrust_url) { 'https://*.onetrust.com' }
  let_it_be(:cookielaw_url) { 'https://cdn.cookielaw.org' }
+  let_it_be(:google_tag_manager_url) { '*.googletagmanager.com' }
+  let_it_be(:google_analytics_url) { '*.google-analytics.com' }
+  let_it_be(:google_analytics_google_url) { '*.analytics.google.com' }

  before do
    stub_request(:get, /.*gitlab_plans.*/).to_return(status: 200, body: "{}")

-    setup_existing_csp_for_controller(SubscriptionsController, csp, 3)
+    setup_existing_csp_for_controller(SubscriptionsController, csp, 4)

    sign_in(create(:user))

@@ -37,10 +40,11 @@
      end
    end

-    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{cookielaw_url} #{onetrust_url} #{zuora_url}") }
+    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{cookielaw_url} #{onetrust_url} #{zuora_url} #{google_tag_manager_url}") }
    it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
    it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
-    it { is_expected.to include("connect-src #{cookielaw_url}") }
+    it { is_expected.to include("connect-src #{cookielaw_url} #{onetrust_url} #{google_analytics_url} #{google_analytics_google_url} #{google_tag_manager_url}") }
+    it { is_expected.to include("img-src #{google_analytics_url} #{google_tag_manager_url}") }
  end

  context 'when just a default CSP config exists' do
@@ -51,8 +55,10 @@
    end

    it { is_expected.to include("default-src #{default_csp_values}") }
-    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{cookielaw_url} #{onetrust_url} #{zuora_url}") }
+    it { is_expected.to include("script-src #{default_csp_values} 'unsafe-eval' #{cookielaw_url} #{onetrust_url} #{zuora_url} #{google_tag_manager_url}") }
    it { is_expected.to include("frame-src #{default_csp_values} #{zuora_url}") }
    it { is_expected.to include("child-src #{default_csp_values} #{zuora_url}") }
+    it { is_expected.to include("img-src #{default_csp_values} #{google_analytics_url} #{google_tag_manager_url}") }
+    it { is_expected.to include("connect-src #{default_csp_values} localhost #{cookielaw_url} #{onetrust_url} #{google_analytics_url} #{google_analytics_google_url} #{google_tag_manager_url}") }
  end
 end
--- a/spec/features/users/google_analytics_csp_spec.rb
+++ b/spec/features/users/google_analytics_csp_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Google Analytics 4 content security policy' do
+  it 'includes the GA4 content security policy headers' do
+    visit root_path
+
+    expect(response_headers['Content-Security-Policy']).to include(
+      '*.googletagmanager.com',
+      '*.google-analytics.com',
+      '*.analytics.google.com'
+    )
+  end
+end