diff options
| author | Heinrich Lee Yu <heinrich@gitlab.com> | 2019-08-14 16:12:05 +0800 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2019-08-22 11:10:33 -0700 |
| commit | 92005fb70f38ee49396ae9e8123979f612827ada (patch) | |
| tree | 9ef1fdaed24bc28039203407cb0d1ce175b6c5a1 | |
| parent | 8308469fdd031a1f7baa6e95966dfc467eb5df51 (diff) | |
| download | gitlab-ce-enable-csp-in-dev-and-ci-ce.tar.gz | |
Enable CSP in gitlab.yml.exampleenable-csp-in-dev-and-ci-ce
This enables CSP in dev and CI
| -rw-r--r-- | config/gitlab.yml.example | 31 | ||||
| -rw-r--r-- | spec/support/capybara.rb | 3 |
2 files changed, 29 insertions, 5 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index efddbfcbb57..973c2747838 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -50,12 +50,12 @@ production: &base # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: - enabled: false + enabled: true report_only: false directives: base_uri: child_src: - connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000" + connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" default_src: "'self'" font_src: form_action: @@ -64,10 +64,10 @@ production: &base img_src: "* data: blob:" manifest_src: media_src: - object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" - script_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline'" - worker_src: "http://localhost:3000 blob:" + worker_src: "'self' blob:" report_uri: # Trusted Proxies @@ -1099,6 +1099,27 @@ test: host: localhost port: 80 + content_security_policy: + enabled: true + report_only: false + directives: + base_uri: + child_src: + connect_src: + default_src: "'self'" + font_src: + form_action: + frame_ancestors: "'self'" + frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" + img_src: "* data: blob:" + manifest_src: + media_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + style_src: "'self' 'unsafe-inline'" + worker_src: "'self' blob:" + report_uri: + # When you run tests we clone and set up gitlab-shell # In order to set it up correctly you need to specify # your system username you use to run GitLab diff --git a/spec/support/capybara.rb b/spec/support/capybara.rb index 8accc5c1df5..4c688094352 100644 --- a/spec/support/capybara.rb +++ b/spec/support/capybara.rb @@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app| # Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508 options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER'] + # Chrome 75 defaults to W3C mode which doesn't allow console log access + options.add_option(:w3c, false) + Capybara::Selenium::Driver.new( app, browser: :chrome, |