Merge branch 'el-update-arkose-csp' into 'master'

Update CSP configuration for Arkose integration Closes gitlab-org/modelops/anti-abuse/team-tasks#860 See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/167282 Merged-by: Mark Chao <mchao@gitlab.com> Approved-by: Ian Anderson <ianderson@gitlab.com> Approved-by: Mark Chao <mchao@gitlab.com> Co-authored-by: Eugie Limpin <elimpin@gitlab.com>

Merge branch 'el-update-arkose-csp' into 'master'
c34e49f4 · Mark Chao · GitLab · 20350fd3 · 1d127325 · c34e49f4
--- a/ee/app/controllers/concerns/arkose/content_security_policy.rb
+++ b/ee/app/controllers/concerns/arkose/content_security_policy.rb
@@ -15,6 +15,10 @@ module ContentSecurityPolicy
        default_frame_src = policy.directives['frame-src'] || policy.directives['default-src']
        frame_src_values = Array.wrap(default_frame_src) | ['https://*.arkoselabs.com']
        policy.frame_src(*frame_src_values)
+
+        default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+        connect_src_values = Array.wrap(default_connect_src) | ['https://*.arkoselabs.com']
+        policy.connect_src(*connect_src_values)
      end
    end
  end

--- a/ee/spec/features/users/arkose_content_security_policy_spec.rb
+++ b/ee/spec/features/users/arkose_content_security_policy_spec.rb
@@ -6,10 +6,21 @@
  include ContentSecurityPolicyHelpers

  shared_examples 'configures Content Security Policy headers correctly' do |controller_class|
-    it 'adds ArkoseLabs URL to Content Security Policy headers' do
+    it 'adds Arkose host value to the correct Content Security Policy directives', :aggregate_failures do
      visit page_path

-      expect(response_headers['Content-Security-Policy']).to include('https://*.arkoselabs.com')
+      arkose_url = 'https://*.arkoselabs.com'
+      csp = response_headers['Content-Security-Policy']
+      directives = csp.split(';').map(&:strip)
+      script_src = directives.find { |d| /^script-src/.match d }
+      frame_src = directives.find { |d| /^frame-src/.match d }
+      connect_src = directives.find { |d| /^connect-src/.match d }
+      style_src = directives.find { |d| /^style-src/.match d }
+
+      expect(script_src).to include(arkose_url)
+      expect(frame_src).to include(arkose_url)
+      expect(connect_src).to include(arkose_url)
+      expect(style_src).to include(%q(unsafe-inline))
    end

    context 'when there is no global CSP config' do