1 files changed, 63 insertions, 0 deletions

diff --git a/spec/features/projects/tracings_spec.rb b/spec/features/projects/tracings_spec.rb
new file mode 100644
index 00000000000..c4a4f1382ed
--- /dev/null
+++ b/spec/features/projects/tracings_spec.rb
@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Tracings Content Security Policy' do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  subject { response_headers['Content-Security-Policy'] }
+
+  before_all do
+    project.add_maintainer(user)
+  end
+
+  before do
+    sign_in(user)
+  end
+
+  context 'when there is no global config' do
+    before do
+      expect_next_instance_of(Projects::TracingsController) do |controller|
+        expect(controller).to receive(:current_content_security_policy)
+          .and_return(ActionDispatch::ContentSecurityPolicy.new)
+      end
+    end
+
+    it 'does not add CSP directives' do
+      visit project_tracing_path(project)
+
+      is_expected.to be_blank
+    end
+  end
+
+  context 'when a global CSP config exists' do
+    before do
+      csp = ActionDispatch::ContentSecurityPolicy.new do |p|
+        p.frame_src 'https://global-policy.com'
+      end
+
+      expect_next_instance_of(Projects::TracingsController) do |controller|
+        expect(controller).to receive(:current_content_security_policy).and_return(csp)
+      end
+    end
+
+    context 'when external_url is set' do
+      let!(:project_tracing_setting) { create(:project_tracing_setting, project: project) }
+
+      it 'overwrites frame-src' do
+        visit project_tracing_path(project)
+
+        is_expected.to eq("frame-src https://example.com")
+      end
+    end
+
+    context 'when external_url is not set' do
+      it 'uses global policy' do
+        visit project_tracing_path(project)
+
+        is_expected.to eq("frame-src https://global-policy.com")
+      end
+    end
+  end
+end