diff options
Diffstat (limited to 'lib/gitlab/content_security_policy/config_loader.rb')
-rw-r--r-- | lib/gitlab/content_security_policy/config_loader.rb | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index 8b1298d0561..ceca206b084 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -26,7 +26,7 @@ module Gitlab 'manifest_src' => "'self'", 'media_src' => "'self' data: http: https:", 'script_src' => ContentSecurityPolicy::Directives.script_src, - 'style_src' => "'self' 'unsafe-inline'", + 'style_src' => ContentSecurityPolicy::Directives.style_src, 'worker_src' => "#{Gitlab::Utils.append_path(Gitlab.config.gitlab.url, 'assets/')} blob: data:", 'object_src' => "'none'", 'report_uri' => nil @@ -43,6 +43,7 @@ module Gitlab allow_websocket_connections(directives) allow_cdn(directives, Settings.gitlab.cdn_host) if Settings.gitlab.cdn_host.present? + allow_zuora(directives) if Gitlab.com? # Support for Sentry setup via configuration files will be removed in 16.0 # in favor of Gitlab::CurrentSettings. allow_legacy_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn @@ -128,6 +129,14 @@ module Gitlab append_to_directive(directives, 'frame_src', cdn_host) end + def self.zuora_host + "https://*.zuora.com/apps/PublicHostedPageLite.do" + end + + def self.allow_zuora(directives) + append_to_directive(directives, 'frame_src', zuora_host) + end + def self.append_to_directive(directives, directive, text) directives[directive] = "#{directives[directive]} #{text}".strip end |