Bug 1336387 - CSP breaks GitHubAuth on index and bug modal pages

1 files changed, 22 insertions, 15 deletions

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index f73fa6121..2402e997b 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -31,21 +31,28 @@ BEGIN {
     *AUTOLOAD = \&CGI::AUTOLOAD;
 }
 
-use constant DEFAULT_CSP => (
-    default_src => [ 'self' ],
-    script_src  => [ 'self', 'unsafe-inline', 'unsafe-eval' ],
-    child_src   => [ 'self', ],
-    img_src     => [ 'self', 'https://secure.gravatar.com' ],
-    style_src   => [ 'self', 'unsafe-inline' ],
-    object_src  => [ 'none' ],
-    form_action => [
-        'self',
-        # used in template/en/default/search/search-google.html.tmpl
-        'https://www.google.com/search'
-    ],
-    frame_ancestors => [ 'none' ],
-    disable         => 1,
-);
+sub DEFAULT_CSP {
+    my %policy = (
+        default_src => [ 'self' ],
+        script_src  => [ 'self', 'unsafe-inline', 'unsafe-eval' ],
+        child_src   => [ 'self', ],
+        img_src     => [ 'self', 'https://secure.gravatar.com' ],
+        style_src   => [ 'self', 'unsafe-inline' ],
+        object_src  => [ 'none' ],
+        form_action => [
+            'self',
+            # used in template/en/default/search/search-google.html.tmpl
+            'https://www.google.com/search'
+        ],
+        frame_ancestors => [ 'none' ],
+        disable         => 1,
+    );
+    if (Bugzilla->params->{github_client_id} && !Bugzilla->user->id) {
+        push @{$policy{form_action}}, 'https://github.com/login/oauth/authorize', 'https://github.com/login';
+    }
+
+    return %policy;
+}
 
 # Because show_bug code lives in many different .cgi files,
 # we needed a centralized place to define the policy.