summaryrefslogtreecommitdiff
path: root/doc/development/fe_guide/security.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development/fe_guide/security.md')
-rw-r--r--doc/development/fe_guide/security.md8
1 files changed, 4 insertions, 4 deletions
diff --git a/doc/development/fe_guide/security.md b/doc/development/fe_guide/security.md
index a82c315032f..627c5f4d12f 100644
--- a/doc/development/fe_guide/security.md
+++ b/doc/development/fe_guide/security.md
@@ -1,7 +1,7 @@
---
stage: none
group: unassigned
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Security
@@ -31,7 +31,7 @@ GitLab's CSP is used for the following:
Some exceptions include:
-- Scripts from Google Analytics and Piwik if either is enabled.
+- Scripts from Google Analytics and Matomo if either is enabled.
- Connecting with GitHub, Bitbucket, GitLab.com, etc. to allow project importing.
- Connecting with Google, Twitter, GitHub, etc. to allow OAuth authentication.
@@ -66,14 +66,14 @@ Some resources on implementing Subresource Integrity:
## Including external resources
External fonts, CSS, and JavaScript should never be used with the exception of
-Google Analytics and Piwik - and only when the instance has enabled it. Assets
+Google Analytics and Matomo - and only when the instance has enabled it. Assets
should always be hosted and served locally from the GitLab instance. Embedded
resources via `iframes` should never be used except in certain circumstances
such as with reCAPTCHA, which cannot be used without an `iframe`.
## Avoiding inline scripts and styles
-In order to protect users from [XSS vulnerabilities](https://en.wikipedia.org/wiki/Cross-site_scripting), we will disable
+In order to protect users from [XSS vulnerabilities](https://en.wikipedia.org/wiki/Cross-site_scripting), we intend to disable
inline scripts in the future using Content Security Policy.
While inline scripts can be useful, they're also a security concern. If
View Lorry Controller Status