diff options
| author | Heinrich Lee Yu <heinrich@gitlab.com> | 2019-08-14 16:12:05 +0800 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2019-08-22 11:10:33 -0700 |
| commit | 92005fb70f38ee49396ae9e8123979f612827ada (patch) | |
| tree | 9ef1fdaed24bc28039203407cb0d1ce175b6c5a1 /config | |
| parent | 8308469fdd031a1f7baa6e95966dfc467eb5df51 (diff) | |
| download | gitlab-ce-92005fb70f38ee49396ae9e8123979f612827ada.tar.gz | |
Enable CSP in gitlab.yml.exampleenable-csp-in-dev-and-ci-ce
This enables CSP in dev and CI
Diffstat (limited to 'config')
| -rw-r--r-- | config/gitlab.yml.example | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index efddbfcbb57..973c2747838 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -50,12 +50,12 @@ production: &base # Content Security Policy # See https://guides.rubyonrails.org/security.html#content-security-policy content_security_policy: - enabled: false + enabled: true report_only: false directives: base_uri: child_src: - connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000" + connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*" default_src: "'self'" font_src: form_action: @@ -64,10 +64,10 @@ production: &base img_src: "* data: blob:" manifest_src: media_src: - object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" - script_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" style_src: "'self' 'unsafe-inline'" - worker_src: "http://localhost:3000 blob:" + worker_src: "'self' blob:" report_uri: # Trusted Proxies @@ -1099,6 +1099,27 @@ test: host: localhost port: 80 + content_security_policy: + enabled: true + report_only: false + directives: + base_uri: + child_src: + connect_src: + default_src: "'self'" + font_src: + form_action: + frame_ancestors: "'self'" + frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com" + img_src: "* data: blob:" + manifest_src: + media_src: + object_src: "'none'" + script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + style_src: "'self' 'unsafe-inline'" + worker_src: "'self' blob:" + report_uri: + # When you run tests we clone and set up gitlab-shell # In order to set it up correctly you need to specify # your system username you use to run GitLab |