Merge branch 'enable-csp-in-dev-and-ci-ce' into 'master'

[CE] Enable CSP in dev and CI

See merge request gitlab-org/gitlab-ce!31800

config/gitlab.yml.example

@@ -50,12 +50,12 @@ production: &base
     # Content Security Policy
     # See https://guides.rubyonrails.org/security.html#content-security-policy
     content_security_policy:
-      enabled: false
+      enabled: true
       report_only: false
       directives:
         base_uri:
         child_src:
-        connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000"
+        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
         default_src: "'self'"
         font_src:
         form_action:
@@ -64,10 +64,10 @@ production: &base
         img_src: "* data: blob:"
         manifest_src:
         media_src:
-        object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
-        script_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
         style_src: "'self' 'unsafe-inline'"
-        worker_src: "http://localhost:3000 blob:"
+        worker_src: "'self' blob:"
         report_uri:
 
     # Trusted Proxies
@@ -1099,6 +1099,27 @@ test:
     host: localhost
     port: 80
 
+    content_security_policy:
+      enabled: true
+      report_only: false
+      directives:
+        base_uri:
+        child_src:
+        connect_src:
+        default_src: "'self'"
+        font_src:
+        form_action:
+        frame_ancestors: "'self'"
+        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+        img_src: "* data: blob:"
+        manifest_src:
+        media_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
+        style_src: "'self' 'unsafe-inline'"
+        worker_src: "'self' blob:"
+        report_uri:
+
     # When you run tests we clone and set up gitlab-shell
     # In order to set it up correctly you need to specify
     # your system username you use to run GitLab

spec/support/capybara.rb

@@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app|
   # Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508
   options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER']
 
+  # Chrome 75 defaults to W3C mode which doesn't allow console log access
+  options.add_option(:w3c, false)
+
   Capybara::Selenium::Driver.new(
     app,
     browser: :chrome,