Merge branch 'sh-support-csp-nonce' into 'master'

Add support for Content-Security-Policy

Closes #65330

See merge request gitlab-org/gitlab-ce!31402

11 files changed, 64 insertions, 58 deletions

diff --git a/app/assets/javascripts/lib/utils/common_utils.js b/app/assets/javascripts/lib/utils/common_utils.js
index 5e90893b684..31c4a920bbe 100644
--- a/app/assets/javascripts/lib/utils/common_utils.js
+++ b/app/assets/javascripts/lib/utils/common_utils.js
@@ -44,6 +44,11 @@ export const isInIssuePage = () => checkPageAndAction('issues', 'show');
 export const isInMRPage = () => checkPageAndAction('merge_requests', 'show');
 export const isInEpicPage = () => checkPageAndAction('epics', 'show');
 
+export const getCspNonceValue = () => {
+  const metaTag = document.querySelector('meta[name=csp-nonce]');
+  return metaTag && metaTag.content;
+};
+
 export const ajaxGet = url =>
   axios
     .get(url, {
@@ -51,7 +56,7 @@ export const ajaxGet = url =>
       responseType: 'text',
     })
     .then(({ data }) => {
-      $.globalEval(data);
+      $.globalEval(data, { nonce: getCspNonceValue() });
     });
 
 export const rstrip = val => {
diff --git a/app/views/layouts/_google_analytics.html.haml b/app/views/layouts/_google_analytics.html.haml
index 98ea96b0b77..e8a5359e791 100644
--- a/app/views/layouts/_google_analytics.html.haml
+++ b/app/views/layouts/_google_analytics.html.haml
@@ -1,11 +1,11 @@
--# haml-lint:disable InlineJavaScript
-:javascript
-  var _gaq = _gaq || [];
-  _gaq.push(['_setAccount', '#{extra_config.google_analytics_id}']);
-  _gaq.push(['_trackPageview']);
+= javascript_tag nonce: true do
+  :plain
+    var _gaq = _gaq || [];
+    _gaq.push(['_setAccount', '#{extra_config.google_analytics_id}']);
+    _gaq.push(['_trackPageview']);
 
-  (function() {
-    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
-    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
-    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
-  })();
+    (function() {
+      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+    })();
diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml
index ac774803f95..271b73326fa 100644
--- a/app/views/layouts/_head.html.haml
+++ b/app/views/layouts/_head.html.haml
@@ -40,7 +40,7 @@
 
   = stylesheet_link_tag "highlight/themes/#{user_color_scheme}", media: "all"
 
-  = Gon::Base.render_data
+  = Gon::Base.render_data(nonce: content_security_policy_nonce)
 
   - if content_for?(:library_javascripts)
     = yield :library_javascripts
@@ -56,6 +56,7 @@
   = yield :project_javascripts
 
   = csrf_meta_tags
+  = csp_meta_tag
 
   - unless browser.safari?
     %meta{ name: 'referrer', content: 'origin-when-cross-origin' }
diff --git a/app/views/layouts/_init_auto_complete.html.haml b/app/views/layouts/_init_auto_complete.html.haml
index 240e03a5d53..82ec92988eb 100644
--- a/app/views/layouts/_init_auto_complete.html.haml
+++ b/app/views/layouts/_init_auto_complete.html.haml
@@ -4,8 +4,8 @@
 - datasources = autocomplete_data_sources(object, noteable_type)
 
 - if object
-  -# haml-lint:disable InlineJavaScript
-  :javascript
-    gl = window.gl || {};
-    gl.GfmAutoComplete = gl.GfmAutoComplete || {};
-    gl.GfmAutoComplete.dataSources = #{datasources.to_json};
+  = javascript_tag nonce: true do
+    :plain
+      gl = window.gl || {};
+      gl.GfmAutoComplete = gl.GfmAutoComplete || {};
+      gl.GfmAutoComplete.dataSources = #{datasources.to_json};
diff --git a/app/views/layouts/_init_client_detection_flags.html.haml b/app/views/layouts/_init_client_detection_flags.html.haml
index c729f8aa696..6537b86085f 100644
--- a/app/views/layouts/_init_client_detection_flags.html.haml
+++ b/app/views/layouts/_init_client_detection_flags.html.haml
@@ -1,7 +1,7 @@
 - client = client_js_flags
 
 - if client
-  -# haml-lint:disable InlineJavaScript
-  :javascript
-    gl = window.gl || {};
-    gl.client = #{client.to_json};
+  = javascript_tag nonce: true do
+    :plain
+      gl = window.gl || {};
+      gl.client = #{client.to_json};
diff --git a/app/views/layouts/_piwik.html.haml b/app/views/layouts/_piwik.html.haml
index 473b14ce626..2cb2e23433d 100644
--- a/app/views/layouts/_piwik.html.haml
+++ b/app/views/layouts/_piwik.html.haml
@@ -1,15 +1,15 @@
 <!-- Piwik -->
--# haml-lint:disable InlineJavaScript
-:javascript
-  var _paq = _paq || [];
-  _paq.push(['trackPageView']);
-  _paq.push(['enableLinkTracking']);
-  (function() {
-    var u="//#{extra_config.piwik_url}/";
-    _paq.push(['setTrackerUrl', u+'piwik.php']);
-    _paq.push(['setSiteId', "#{extra_config.piwik_site_id}"]);
-    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
-    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
-  })();
-<noscript><p><img src="//#{extra_config.piwik_url}/piwik.php?idsite=#{extra_config.piwik_site_id}" style="border:0;" alt="" /></p></noscript>
-<!-- End Piwik Code -->
+= javascript_tag nonce: true do
+  :plain
+    var _paq = _paq || [];
+    _paq.push(['trackPageView']);
+    _paq.push(['enableLinkTracking']);
+    (function() {
+      var u="//#{extra_config.piwik_url}/";
+      _paq.push(['setTrackerUrl', u+'piwik.php']);
+      _paq.push(['setSiteId', "#{extra_config.piwik_site_id}"]);
+      var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
+      g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
+    })();
+  <noscript><p><img src="//#{extra_config.piwik_url}/piwik.php?idsite=#{extra_config.piwik_site_id}" style="border:0;" alt="" /></p></noscript>
+  <!-- End Piwik Code -->
diff --git a/app/views/layouts/errors.html.haml b/app/views/layouts/errors.html.haml
index 06069a72951..74484005b48 100644
--- a/app/views/layouts/errors.html.haml
+++ b/app/views/layouts/errors.html.haml
@@ -8,12 +8,12 @@
   %body
     .page-container
       = yield
-    -# haml-lint:disable InlineJavaScript
-    :javascript
-      (function(){
-        var goBackElement = document.querySelector('.js-go-back');
+    = javascript_tag nonce: true do
+      :plain
+        (function(){
+          var goBackElement = document.querySelector('.js-go-back');
 
-        if (goBackElement && history.length > 1) {
-          goBackElement.style.display = 'block';
-        }
-      }());
+          if (goBackElement && history.length > 1) {
+            goBackElement.style.display = 'block';
+          }
+        }());
diff --git a/app/views/layouts/group.html.haml b/app/views/layouts/group.html.haml
index 1d40b78fa83..49de821f1c2 100644
--- a/app/views/layouts/group.html.haml
+++ b/app/views/layouts/group.html.haml
@@ -6,8 +6,8 @@
 
 - content_for :page_specific_javascripts do
   - if current_user
-    -# haml-lint:disable InlineJavaScript
-    :javascript
-      window.uploads_path = "#{group_uploads_path(@group)}";
+    = javascript_tag nonce: true do
+      :plain
+        window.uploads_path = "#{group_uploads_path(@group)}";
 
 = render template: "layouts/application"
diff --git a/app/views/layouts/project.html.haml b/app/views/layouts/project.html.haml
index 6b51483810e..b8ef38272fc 100644
--- a/app/views/layouts/project.html.haml
+++ b/app/views/layouts/project.html.haml
@@ -7,8 +7,8 @@
 - content_for :project_javascripts do
   - project = @target_project || @project
   - if current_user
-    -# haml-lint:disable InlineJavaScript
-    :javascript
-      window.uploads_path = "#{project_uploads_path(project)}";
+    = javascript_tag nonce: true do
+      :plain
+        window.uploads_path = "#{project_uploads_path(project)}";
 
 = render template: "layouts/application"
diff --git a/app/views/layouts/snippets.html.haml b/app/views/layouts/snippets.html.haml
index 841b2a5e79c..cde2b467392 100644
--- a/app/views/layouts/snippets.html.haml
+++ b/app/views/layouts/snippets.html.haml
@@ -3,8 +3,8 @@
 
 - content_for :page_specific_javascripts do
   - if snippets_upload_path
-    -# haml-lint:disable InlineJavaScript
-    :javascript
-      window.uploads_path = "#{snippets_upload_path}";
+    = javascript_tag nonce: true do
+      :plain
+        window.uploads_path = "#{snippets_upload_path}";
 
 = render template: "layouts/application"
diff --git a/app/views/projects/merge_requests/show.html.haml b/app/views/projects/merge_requests/show.html.haml
index 2c5c5141bf0..af3bd8dcd69 100644
--- a/app/views/projects/merge_requests/show.html.haml
+++ b/app/views/projects/merge_requests/show.html.haml
@@ -16,13 +16,13 @@
     - if @merge_request.source_branch_exists?
       = render "projects/merge_requests/how_to_merge"
 
-    -# haml-lint:disable InlineJavaScript
-    :javascript
-      window.gl = window.gl || {};
-      window.gl.mrWidgetData = #{serialize_issuable(@merge_request, serializer: 'widget', issues_links: true)}
+    = javascript_tag nonce: true do
+      :plain
+        window.gl = window.gl || {};
+        window.gl.mrWidgetData = #{serialize_issuable(@merge_request, serializer: 'widget', issues_links: true)}
 
-      window.gl.mrWidgetData.squash_before_merge_help_path = '#{help_page_path("user/project/merge_requests/squash_and_merge")}';
-      window.gl.mrWidgetData.troubleshooting_docs_path = '#{help_page_path('user/project/merge_requests/index.md', anchor: 'troubleshooting')}';
+        window.gl.mrWidgetData.squash_before_merge_help_path = '#{help_page_path("user/project/merge_requests/squash_and_merge")}';
+        window.gl.mrWidgetData.troubleshooting_docs_path = '#{help_page_path('user/project/merge_requests/index.md', anchor: 'troubleshooting')}';
 
     #js-vue-mr-widget.mr-widget