Do not add ArkoseLabs URL to the CSP if global config is empty
What does this MR do and why?
When arkose_labs_signup_challenge
FF is enabled, the CSP for the signup page is updated to add https://*.arkoselabs.com
as an allowed origin.
In gitlab-qa!1117 (closed), it was discovered that when there is no existing CSP configuration (i.e. allow resources from anywhere like for Omnibus installations), the CSP for the signup page is incorrectly being updated to only allow resources from https://*.arkoselabs.com
. This results in the page not functioning correctly (missing JS scripts).
This MR fixes that problem by skipping the CSP update on the signup page when existing CSP directives are empty to keep the behavior of allowing resources from all origins.
Screenshots or screen recordings
N/A
How to set up and validate locally
-
Disable
content_security_policy
in yourgitlab.yml
gitlab: content_security_policy: enabled: false
-
Restart GDK and confirm that CSP is disabled in Rails console:
> Settings.gitlab.content_security_policy => {"enabled"=>false, "report_only"=>false, "directives"=>{}
-
Enable
arkose_labs_signup_challenge
FF> Feature.enable(:arkose_labs_signup_challenge) => true
-
Visit signup page
-
Open developer console and validate that there are no errors that look like:
sign_up:2568 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src https://*.arkoselabs.com". ...
If you look at
Content-Security-Policy
response header for the page, it should look like:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.