1 files changed, 29 insertions, 0 deletions

diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb
index 3f0665f1ce5..3ce7e33d88a 100644
--- a/spec/requests/content_security_policy_spec.rb
+++ b/spec/requests/content_security_policy_spec.rb
@@ -7,6 +7,7 @@ require 'spec_helper'
 # of testing in application_controller_spec.
 RSpec.describe 'Content Security Policy', feature_category: :application_instrumentation do
   let(:snowplow_host) { 'snowplow.example.com' }
+  let(:vite_origin) { "#{ViteRuby.instance.config.host}:#{ViteRuby.instance.config.port}" }
 
   shared_examples 'snowplow is not in the CSP' do
     it 'does not add the snowplow collector hostname to the CSP' do
@@ -46,5 +47,33 @@ RSpec.describe 'Content Security Policy', feature_category: :application_instrum
 
       it_behaves_like 'snowplow is not in the CSP'
     end
+
+    context 'when vite enabled during development',
+      quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/424334' do
+      before do
+        stub_rails_env('development')
+        stub_feature_flags(vite: true)
+
+        get explore_root_url
+      end
+
+      it 'adds vite csp' do
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Content-Security-Policy']).to include(vite_origin)
+      end
+    end
+
+    context 'when vite disabled' do
+      before do
+        stub_feature_flags(vite: false)
+
+        get explore_root_url
+      end
+
+      it "doesn't add vite csp" do
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.headers['Content-Security-Policy']).not_to include(vite_origin)
+      end
+    end
   end
 end