diff options
| author | Connor Shea <connor.james.shea@gmail.com> | 2016-07-18 12:30:23 -0600 |
|---|---|---|
| committer | Connor Shea <connor.james.shea@gmail.com> | 2016-07-18 14:44:39 -0600 |
| commit | c2fe22f8f419a8e562f0f34e8c0f478aefc34ec0 (patch) | |
| tree | c0438c8375bb08fedcaab0e68e556dadaeacc48b | |
| parent | 460fc6c4f38120a4aa58f243bd3f0c8244902837 (diff) | |
| download | gitlab-ce-csp-basics.tar.gz | |
Minor policy refinements.csp-basics
| -rw-r--r-- | config/initializers/secure_headers.rb | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 7a2f0eab3c0..9fd24a667cc 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -1,3 +1,6 @@ +# CSP headers have to have single quotes, so failures relating to quotes +# inside Ruby string arrays are irrelevant. +# rubocop:disable Lint/PercentStringArray require 'gitlab/current_settings' include Gitlab::CurrentSettings @@ -23,8 +26,6 @@ SecureHeaders::Configuration.default do |config| strict: true } } - # Disallow iframes. - config.x_frame_options = "DENY" config.x_content_type_options = "nosniff" config.x_xss_protection = "1; mode=block" config.x_download_options = "noopen" @@ -45,13 +46,13 @@ SecureHeaders::Configuration.default do |config| # Only load local fonts. font_src: %w('self'), # Load local images, any external image available over HTTPS. - img_src: %w('self' https:), + img_src: %w(* 'self' data:), # Audio and video can't be played on GitLab currently, so it's disabled. media_src: %w('none'), # Don't allow <object>, <embed>, or <applet> elements. object_src: %w('none'), # Allow local scripts and inline scripts. - script_src: %w('unsafe-inline' 'self'), + script_src: %w('unsafe-inline' 'unsafe-eval' 'self'), # Allow local stylesheets and inline styles. style_src: %w('unsafe-inline' 'self'), # The URIs that a user agent may use as the document base URL. @@ -63,15 +64,18 @@ SecureHeaders::Configuration.default do |config| # Disallow any parents from embedding a page in an iframe. frame_ancestors: %w('none'), # Don't allow any plugins (Flash, Shockwave, etc.) - plugin_types: %w('none'), + plugin_types: %w(), # Blocks all mixed (HTTP) content. block_all_mixed_content: true, # Upgrades insecure requests to HTTPS when possible. - upgrade_insecure_requests: true, - # Reports are sent to Sentry if it's enabled, nowhere otherwise. - report_uri: %W(#{CSP_REPORT_URI}) + upgrade_insecure_requests: true } + # Reports are sent to Sentry if it's enabled. + if current_application_settings.sentry_enabled + config.csp[:report_uri] = %W(#{CSP_REPORT_URI}) + end + # Allow Bootstrap Linter in development mode. if Rails.env.development? config.csp[:script_src] << "maxcdn.bootstrapcdn.com" |