diff options
| -rw-r--r-- | Gemfile | 3 | ||||
| -rw-r--r-- | Gemfile.lock | 4 | ||||
| -rw-r--r-- | config/initializers/secure_headers.rb | 109 |
3 files changed, 0 insertions, 116 deletions
@@ -349,6 +349,3 @@ gem 'health_check', '~> 2.1.0' # System information gem 'vmstat', '~> 2.1.0' gem 'sys-filesystem', '~> 1.1.6' - -# Secure headers for Content Security Policy -gem 'secure_headers', '~> 3.3' diff --git a/Gemfile.lock b/Gemfile.lock index 363904a4baa..8739f8579d5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -645,8 +645,6 @@ GEM sdoc (0.3.20) json (>= 1.1.3) rdoc (~> 3.10) - secure_headers (3.3.2) - useragent seed-fu (2.3.6) activerecord (>= 3.1) activesupport (>= 3.1) @@ -769,7 +767,6 @@ GEM get_process_mem (~> 0) unicorn (>= 4, < 6) uniform_notifier (1.9.0) - useragent (0.16.7) uuid (2.3.8) macaddr (~> 1.0) version_sorter (2.0.0) @@ -947,7 +944,6 @@ DEPENDENCIES sass-rails (~> 5.0.0) scss_lint (~> 0.47.0) sdoc (~> 0.3.20) - secure_headers (~> 3.3) seed-fu (~> 2.3.5) select2-rails (~> 3.5.9) sentry-raven (~> 1.1.0) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb deleted file mode 100644 index 9fd24a667cc..00000000000 --- a/config/initializers/secure_headers.rb +++ /dev/null @@ -1,109 +0,0 @@ -# CSP headers have to have single quotes, so failures relating to quotes -# inside Ruby string arrays are irrelevant. -# rubocop:disable Lint/PercentStringArray -require 'gitlab/current_settings' -include Gitlab::CurrentSettings - -# If Sentry is enabled and the Rails app is running in production mode, -# this will construct the Report URI for Sentry. -if Rails.env.production? && current_application_settings.sentry_enabled - uri = URI.parse(current_application_settings.sentry_dsn) - CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}" -else - CSP_REPORT_URI = '' -end - -# Content Security Policy Headers -# For more information on CSP see: -# - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231 -# - https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives -SecureHeaders::Configuration.default do |config| - # Mark all cookies as "Secure", "HttpOnly", and "SameSite=Strict". - config.cookies = { - secure: true, - httponly: true, - samesite: { - strict: true - } - } - config.x_content_type_options = "nosniff" - config.x_xss_protection = "1; mode=block" - config.x_download_options = "noopen" - config.x_permitted_cross_domain_policies = "none" - config.referrer_policy = "origin-when-cross-origin" - config.csp = { - # "Meta" values. - report_only: true, - preserve_schemes: true, - - # "Directive" values. - # Default source allows nothing, more permissive values are set per-policy. - default_src: %w('none'), - # (Deprecated) Don't allow iframes. - frame_src: %w('none'), - # Only allow XMLHTTPRequests from the GitLab instance itself. - connect_src: %w('self'), - # Only load local fonts. - font_src: %w('self'), - # Load local images, any external image available over HTTPS. - img_src: %w(* 'self' data:), - # Audio and video can't be played on GitLab currently, so it's disabled. - media_src: %w('none'), - # Don't allow <object>, <embed>, or <applet> elements. - object_src: %w('none'), - # Allow local scripts and inline scripts. - script_src: %w('unsafe-inline' 'unsafe-eval' 'self'), - # Allow local stylesheets and inline styles. - style_src: %w('unsafe-inline' 'self'), - # The URIs that a user agent may use as the document base URL. - base_uri: %w('self'), - # Only allow local iframes and service workers - child_src: %w('self'), - # Only submit form information to the GitLab instance. - form_action: %w('self'), - # Disallow any parents from embedding a page in an iframe. - frame_ancestors: %w('none'), - # Don't allow any plugins (Flash, Shockwave, etc.) - plugin_types: %w(), - # Blocks all mixed (HTTP) content. - block_all_mixed_content: true, - # Upgrades insecure requests to HTTPS when possible. - upgrade_insecure_requests: true - } - - # Reports are sent to Sentry if it's enabled. - if current_application_settings.sentry_enabled - config.csp[:report_uri] = %W(#{CSP_REPORT_URI}) - end - - # Allow Bootstrap Linter in development mode. - if Rails.env.development? - config.csp[:script_src] << "maxcdn.bootstrapcdn.com" - end - - # reCAPTCHA - if current_application_settings.recaptcha_enabled - config.csp[:script_src] << "https://www.google.com/recaptcha/" - config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" - config.csp[:frame_src] << "https://www.google.com/recaptcha/" - config.x_frame_options = "SAMEORIGIN" - end - - # Gravatar - if current_application_settings.gravatar_enabled? - config.csp[:img_src] << "www.gravatar.com" - config.csp[:img_src] << "secure.gravatar.com" - config.csp[:img_src] << Gitlab.config.gravatar.host - end - - # Piwik - if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id') - config.csp[:script_src] << Gitlab.config.extra.piwik_url - config.csp[:img_src] << Gitlab.config.extra.piwik_url - end - - # Google Analytics - if Gitlab.config.extra.has_key?('google_analytics_id') - config.csp[:script_src] << "https://www.google-analytics.com" - end -end |