From 92005fb70f38ee49396ae9e8123979f612827ada Mon Sep 17 00:00:00 2001
From: Heinrich Lee Yu <heinrich@gitlab.com>
Date: Wed, 14 Aug 2019 16:12:05 +0800
Subject: Enable CSP in gitlab.yml.example

This enables CSP in dev and CI
---
 config/gitlab.yml.example | 31 ++++++++++++++++++++++++++-----
 spec/support/capybara.rb  |  3 +++
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index efddbfcbb57..973c2747838 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -50,12 +50,12 @@ production: &base
     # Content Security Policy
     # See https://guides.rubyonrails.org/security.html#content-security-policy
     content_security_policy:
-      enabled: false
+      enabled: true
       report_only: false
       directives:
         base_uri:
         child_src:
-        connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000"
+        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
         default_src: "'self'"
         font_src:
         form_action:
@@ -64,10 +64,10 @@ production: &base
         img_src: "* data: blob:"
         manifest_src:
         media_src:
-        object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
-        script_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
         style_src: "'self' 'unsafe-inline'"
-        worker_src: "http://localhost:3000 blob:"
+        worker_src: "'self' blob:"
         report_uri:
 
     # Trusted Proxies
@@ -1099,6 +1099,27 @@ test:
     host: localhost
     port: 80
 
+    content_security_policy:
+      enabled: true
+      report_only: false
+      directives:
+        base_uri:
+        child_src:
+        connect_src:
+        default_src: "'self'"
+        font_src:
+        form_action:
+        frame_ancestors: "'self'"
+        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+        img_src: "* data: blob:"
+        manifest_src:
+        media_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
+        style_src: "'self' 'unsafe-inline'"
+        worker_src: "'self' blob:"
+        report_uri:
+
     # When you run tests we clone and set up gitlab-shell
     # In order to set it up correctly you need to specify
     # your system username you use to run GitLab
diff --git a/spec/support/capybara.rb b/spec/support/capybara.rb
index 8accc5c1df5..4c688094352 100644
--- a/spec/support/capybara.rb
+++ b/spec/support/capybara.rb
@@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app|
   # Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508
   options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER']
 
+  # Chrome 75 defaults to W3C mode which doesn't allow console log access
+  options.add_option(:w3c, false)
+
   Capybara::Selenium::Driver.new(
     app,
     browser: :chrome,
-- 
cgit v1.2.1