diff options
author | Connor Shea <connor.james.shea@gmail.com> | 2016-07-05 17:52:44 -0600 |
---|---|---|
committer | Connor Shea <connor.james.shea@gmail.com> | 2016-07-18 11:43:35 -0600 |
commit | b2752c46f4884681b09f6562920d177918e66278 (patch) | |
tree | 41e1f95511ebc75e5d2010b62e3d5bb4548aae4f /config | |
parent | fa56c34b478c39639abfc51fbde6f55b5641ab1e (diff) | |
download | gitlab-ce-b2752c46f4884681b09f6562920d177918e66278.tar.gz |
Only enable CSP policies when relevant features are enabled.
Gravatar, Google Analytics, Piwik, Recaptcha, etc.
Diffstat (limited to 'config')
-rw-r--r-- | config/initializers/secure_headers.rb | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index a704dd2ee7e..44425b74d43 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -32,7 +32,7 @@ SecureHeaders::Configuration.default do |config| frame_src: %w('self'), connect_src: %w('self'), font_src: %w('self'), - img_src: %w('self' www.gravatar.com secure.gravatar.com https:), + img_src: %w('self' https:), media_src: %w('none'), object_src: %w('none'), script_src: %w('unsafe-inline' 'self'), @@ -46,7 +46,33 @@ SecureHeaders::Configuration.default do |config| report_uri: %W(#{CSP_REPORT_URI}) } + # Allow Bootstrap Linter in development mode. if Rails.env.development? config.csp[:script_src] << "maxcdn.bootstrapcdn.com" end + + # Recaptcha + if current_application_settings.recaptcha_enabled + config.csp[:script_src] << "https://www.google.com/recaptcha/" + config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" + config.csp[:frame_src] << "https://www.google.com/recaptcha/" + end + + # Gravatar + if current_application_settings.gravatar_enabled? + config.csp[:img_src] << "www.gravatar.com" + config.csp[:img_src] << "secure.gravatar.com" + config.csp[:img_src] << Gitlab.config.gravatar.host + end + + # Piwik + if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id') + config.csp[:script_src] << Gitlab.config.extra.piwik_url + config.csp[:img_src] << Gitlab.config.extra.piwik_url + end + + # Google Analytics + if Gitlab.config.extra.has_key?('google_analytics_id') + config.csp[:script_src] << "https://www.google-analytics.com" + end end |