From 460fc6c4f38120a4aa58f243bd3f0c8244902837 Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Wed, 6 Jul 2016 16:00:55 -0600 Subject: Document the CSP file. --- config/initializers/secure_headers.rb | 49 +++++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 11 deletions(-) (limited to 'config') diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 44425b74d43..7a2f0eab3c0 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -1,6 +1,8 @@ require 'gitlab/current_settings' include Gitlab::CurrentSettings +# If Sentry is enabled and the Rails app is running in production mode, +# this will construct the Report URI for Sentry. if Rails.env.production? && current_application_settings.sentry_enabled uri = URI.parse(current_application_settings.sentry_dsn) CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}" @@ -8,14 +10,20 @@ else CSP_REPORT_URI = '' end +# Content Security Policy Headers +# For more information on CSP see: +# - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231 +# - https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives SecureHeaders::Configuration.default do |config| + # Mark all cookies as "Secure", "HttpOnly", and "SameSite=Strict". config.cookies = { - secure: true, # mark all cookies as "Secure" - httponly: true, # mark all cookies as "HttpOnly" + secure: true, + httponly: true, samesite: { - strict: true # mark all cookies as SameSite=Strict + strict: true } } + # Disallow iframes. config.x_frame_options = "DENY" config.x_content_type_options = "nosniff" config.x_xss_protection = "1; mode=block" @@ -23,26 +31,44 @@ SecureHeaders::Configuration.default do |config| config.x_permitted_cross_domain_policies = "none" config.referrer_policy = "origin-when-cross-origin" config.csp = { - # "meta" values. these will shaped the header, but the values are not included in the header. - report_only: true, # default: false - preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content. + # "Meta" values. + report_only: true, + preserve_schemes: true, - # directive values: these values will directly translate into source directives + # "Directive" values. + # Default source allows nothing, more permissive values are set per-policy. default_src: %w('none'), - frame_src: %w('self'), + # (Deprecated) Don't allow iframes. + frame_src: %w('none'), + # Only allow XMLHTTPRequests from the GitLab instance itself. connect_src: %w('self'), + # Only load local fonts. font_src: %w('self'), + # Load local images, any external image available over HTTPS. img_src: %w('self' https:), + # Audio and video can't be played on GitLab currently, so it's disabled. media_src: %w('none'), + # Don't allow , , or elements. object_src: %w('none'), + # Allow local scripts and inline scripts. script_src: %w('unsafe-inline' 'self'), + # Allow local stylesheets and inline styles. style_src: %w('unsafe-inline' 'self'), + # The URIs that a user agent may use as the document base URL. base_uri: %w('self'), + # Only allow local iframes and service workers child_src: %w('self'), + # Only submit form information to the GitLab instance. form_action: %w('self'), + # Disallow any parents from embedding a page in an iframe. frame_ancestors: %w('none'), - block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/ - upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/ + # Don't allow any plugins (Flash, Shockwave, etc.) + plugin_types: %w('none'), + # Blocks all mixed (HTTP) content. + block_all_mixed_content: true, + # Upgrades insecure requests to HTTPS when possible. + upgrade_insecure_requests: true, + # Reports are sent to Sentry if it's enabled, nowhere otherwise. report_uri: %W(#{CSP_REPORT_URI}) } @@ -51,11 +77,12 @@ SecureHeaders::Configuration.default do |config| config.csp[:script_src] << "maxcdn.bootstrapcdn.com" end - # Recaptcha + # reCAPTCHA if current_application_settings.recaptcha_enabled config.csp[:script_src] << "https://www.google.com/recaptcha/" config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" config.csp[:frame_src] << "https://www.google.com/recaptcha/" + config.x_frame_options = "SAMEORIGIN" end # Gravatar -- cgit v1.2.1