Commit b2752c46 authored by Connor Shea's avatar Connor Shea

Only enable CSP policies when relevant features are enabled.

Gravatar, Google Analytics, Piwik, Recaptcha, etc.
parent fa56c34b
...@@ -32,7 +32,7 @@ SecureHeaders::Configuration.default do |config| ...@@ -32,7 +32,7 @@ SecureHeaders::Configuration.default do |config|
frame_src: %w('self'), frame_src: %w('self'),
connect_src: %w('self'), connect_src: %w('self'),
font_src: %w('self'), font_src: %w('self'),
img_src: %w('self' www.gravatar.com secure.gravatar.com https:), img_src: %w('self' https:),
media_src: %w('none'), media_src: %w('none'),
object_src: %w('none'), object_src: %w('none'),
script_src: %w('unsafe-inline' 'self'), script_src: %w('unsafe-inline' 'self'),
...@@ -46,7 +46,33 @@ SecureHeaders::Configuration.default do |config| ...@@ -46,7 +46,33 @@ SecureHeaders::Configuration.default do |config|
report_uri: %W(#{CSP_REPORT_URI}) report_uri: %W(#{CSP_REPORT_URI})
} }
# Allow Bootstrap Linter in development mode.
if Rails.env.development? if Rails.env.development?
config.csp[:script_src] << "maxcdn.bootstrapcdn.com" config.csp[:script_src] << "maxcdn.bootstrapcdn.com"
end end
# Recaptcha
if current_application_settings.recaptcha_enabled
config.csp[:script_src] << "https://www.google.com/recaptcha/"
config.csp[:script_src] << "https://www.gstatic.com/recaptcha/"
config.csp[:frame_src] << "https://www.google.com/recaptcha/"
end
# Gravatar
if current_application_settings.gravatar_enabled?
config.csp[:img_src] << "www.gravatar.com"
config.csp[:img_src] << "secure.gravatar.com"
config.csp[:img_src] << Gitlab.config.gravatar.host
end
# Piwik
if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id')
config.csp[:script_src] << Gitlab.config.extra.piwik_url
config.csp[:img_src] << Gitlab.config.extra.piwik_url
end
# Google Analytics
if Gitlab.config.extra.has_key?('google_analytics_id')
config.csp[:script_src] << "https://www.google-analytics.com"
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment