From b2752c46f4884681b09f6562920d177918e66278 Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Tue, 5 Jul 2016 17:52:44 -0600 Subject: Only enable CSP policies when relevant features are enabled. Gravatar, Google Analytics, Piwik, Recaptcha, etc. --- config/initializers/secure_headers.rb | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index a704dd2ee7e..44425b74d43 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -32,7 +32,7 @@ SecureHeaders::Configuration.default do |config| frame_src: %w('self'), connect_src: %w('self'), font_src: %w('self'), - img_src: %w('self' www.gravatar.com secure.gravatar.com https:), + img_src: %w('self' https:), media_src: %w('none'), object_src: %w('none'), script_src: %w('unsafe-inline' 'self'), @@ -46,7 +46,33 @@ SecureHeaders::Configuration.default do |config| report_uri: %W(#{CSP_REPORT_URI}) } + # Allow Bootstrap Linter in development mode. if Rails.env.development? config.csp[:script_src] << "maxcdn.bootstrapcdn.com" end + + # Recaptcha + if current_application_settings.recaptcha_enabled + config.csp[:script_src] << "https://www.google.com/recaptcha/" + config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" + config.csp[:frame_src] << "https://www.google.com/recaptcha/" + end + + # Gravatar + if current_application_settings.gravatar_enabled? + config.csp[:img_src] << "www.gravatar.com" + config.csp[:img_src] << "secure.gravatar.com" + config.csp[:img_src] << Gitlab.config.gravatar.host + end + + # Piwik + if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id') + config.csp[:script_src] << Gitlab.config.extra.piwik_url + config.csp[:img_src] << Gitlab.config.extra.piwik_url + end + + # Google Analytics + if Gitlab.config.extra.has_key?('google_analytics_id') + config.csp[:script_src] << "https://www.google-analytics.com" + end end -- cgit v1.2.1