summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/gitlab.yml.example23
-rw-r--r--config/initializers/1_settings.rb1
-rw-r--r--config/initializers/content_security_policy.rb15
3 files changed, 39 insertions, 0 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 39b719a5978..226f2ec3722 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -47,6 +47,29 @@ production: &base
#
# relative_url_root: /gitlab
+ # Content Security Policy
+ # See https://guides.rubyonrails.org/security.html#content-security-policy
+ content_security_policy:
+ enabled: false
+ report_only: false
+ directives:
+ base_uri:
+ child_src:
+ connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000"
+ default_src: "'self'"
+ font_src:
+ form_action:
+ frame_ancestors: "'self'"
+ frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+ img_src: "* data: blob"
+ manifest_src:
+ media_src:
+ object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
+ script_src:
+ style_src: "'self' 'unsafe-inline'"
+ worker_src: "http://localhost:3000 blob:"
+ report_uri:
+
# Trusted Proxies
# Customize if you have GitLab behind a reverse proxy which is running on a different machine.
# Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 659801f787d..828732126b6 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -200,6 +200,7 @@ Settings.gitlab.default_projects_features['visibility_level'] = Settings.__sen
Settings.gitlab['domain_whitelist'] ||= []
Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
Settings.gitlab['trusted_proxies'] ||= []
+Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash
Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config', 'no_todos_messages.yml'))
Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil?
Settings.gitlab['usage_ping_enabled'] = true if Settings.gitlab['usage_ping_enabled'].nil?
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
new file mode 100644
index 00000000000..608d0401a96
--- /dev/null
+++ b/config/initializers/content_security_policy.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+csp_settings = Settings.gitlab.content_security_policy
+
+if csp_settings['enabled']
+ # See https://guides.rubyonrails.org/security.html#content-security-policy
+ Rails.application.config.content_security_policy do |policy|
+ directives = csp_settings.fetch('directives', {})
+ loader = ::Gitlab::ContentSecurityPolicy::ConfigLoader.new(directives)
+ loader.load(policy)
+ end
+
+ Rails.application.config.content_security_policy_report_only = csp_settings['report_only']
+ Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
+end
View Lorry Controller Status