Update CSP configuration for Arkose integration

Update CSP configuration for Arkose integration as described in https://developer.arkoselabs.com/docs/domain-policy. This update enables Arkose to move Gitlab.com to the Iframe-less CAPI version. > Iframe-less Client API enables enhanced detection capabilities while improving both security and data collection. It also introduces improvements in latency performance.

Update CSP configuration for Arkose integration
1d127325 · Eugie Limpin · GitLab · 9dbf7f9b · 1d127325 · 1d127325
--- a/ee/app/controllers/concerns/arkose/content_security_policy.rb
+++ b/ee/app/controllers/concerns/arkose/content_security_policy.rb
@@ -15,6 +15,10 @@ module ContentSecurityPolicy
        default_frame_src = policy.directives['frame-src'] || policy.directives['default-src']
        frame_src_values = Array.wrap(default_frame_src) | ['https://*.arkoselabs.com']
        policy.frame_src(*frame_src_values)
+
+        default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+        connect_src_values = Array.wrap(default_connect_src) | ['https://*.arkoselabs.com']
+        policy.connect_src(*connect_src_values)
      end
    end
  end

--- a/ee/spec/features/users/arkose_content_security_policy_spec.rb
+++ b/ee/spec/features/users/arkose_content_security_policy_spec.rb
@@ -6,10 +6,21 @@
  include ContentSecurityPolicyHelpers

  shared_examples 'configures Content Security Policy headers correctly' do |controller_class|
-    it 'adds ArkoseLabs URL to Content Security Policy headers' do
+    it 'adds Arkose host value to the correct Content Security Policy directives', :aggregate_failures do
      visit page_path

-      expect(response_headers['Content-Security-Policy']).to include('https://*.arkoselabs.com')
+      arkose_url = 'https://*.arkoselabs.com'
+      csp = response_headers['Content-Security-Policy']
+      directives = csp.split(';').map(&:strip)
+      script_src = directives.find { |d| /^script-src/.match d }
+      frame_src = directives.find { |d| /^frame-src/.match d }
+      connect_src = directives.find { |d| /^connect-src/.match d }
+      style_src = directives.find { |d| /^style-src/.match d }
+
+      expect(script_src).to include(arkose_url)
+      expect(frame_src).to include(arkose_url)
+      expect(connect_src).to include(arkose_url)
+      expect(style_src).to include(%q(unsafe-inline))
    end

    context 'when there is no global CSP config' do