Commit c2fe22f8 authored by Connor Shea's avatar Connor Shea

Minor policy refinements.

parent 460fc6c4
# CSP headers have to have single quotes, so failures relating to quotes
# inside Ruby string arrays are irrelevant.
# rubocop:disable Lint/PercentStringArray
require 'gitlab/current_settings' require 'gitlab/current_settings'
include Gitlab::CurrentSettings include Gitlab::CurrentSettings
...@@ -23,8 +26,6 @@ SecureHeaders::Configuration.default do |config| ...@@ -23,8 +26,6 @@ SecureHeaders::Configuration.default do |config|
strict: true strict: true
} }
} }
# Disallow iframes.
config.x_frame_options = "DENY"
config.x_content_type_options = "nosniff" config.x_content_type_options = "nosniff"
config.x_xss_protection = "1; mode=block" config.x_xss_protection = "1; mode=block"
config.x_download_options = "noopen" config.x_download_options = "noopen"
...@@ -45,13 +46,13 @@ SecureHeaders::Configuration.default do |config| ...@@ -45,13 +46,13 @@ SecureHeaders::Configuration.default do |config|
# Only load local fonts. # Only load local fonts.
font_src: %w('self'), font_src: %w('self'),
# Load local images, any external image available over HTTPS. # Load local images, any external image available over HTTPS.
img_src: %w('self' https:), img_src: %w(* 'self' data:),
# Audio and video can't be played on GitLab currently, so it's disabled. # Audio and video can't be played on GitLab currently, so it's disabled.
media_src: %w('none'), media_src: %w('none'),
# Don't allow <object>, <embed>, or <applet> elements. # Don't allow <object>, <embed>, or <applet> elements.
object_src: %w('none'), object_src: %w('none'),
# Allow local scripts and inline scripts. # Allow local scripts and inline scripts.
script_src: %w('unsafe-inline' 'self'), script_src: %w('unsafe-inline' 'unsafe-eval' 'self'),
# Allow local stylesheets and inline styles. # Allow local stylesheets and inline styles.
style_src: %w('unsafe-inline' 'self'), style_src: %w('unsafe-inline' 'self'),
# The URIs that a user agent may use as the document base URL. # The URIs that a user agent may use as the document base URL.
...@@ -63,15 +64,18 @@ SecureHeaders::Configuration.default do |config| ...@@ -63,15 +64,18 @@ SecureHeaders::Configuration.default do |config|
# Disallow any parents from embedding a page in an iframe. # Disallow any parents from embedding a page in an iframe.
frame_ancestors: %w('none'), frame_ancestors: %w('none'),
# Don't allow any plugins (Flash, Shockwave, etc.) # Don't allow any plugins (Flash, Shockwave, etc.)
plugin_types: %w('none'), plugin_types: %w(),
# Blocks all mixed (HTTP) content. # Blocks all mixed (HTTP) content.
block_all_mixed_content: true, block_all_mixed_content: true,
# Upgrades insecure requests to HTTPS when possible. # Upgrades insecure requests to HTTPS when possible.
upgrade_insecure_requests: true, upgrade_insecure_requests: true
# Reports are sent to Sentry if it's enabled, nowhere otherwise.
report_uri: %W(#{CSP_REPORT_URI})
} }
# Reports are sent to Sentry if it's enabled.
if current_application_settings.sentry_enabled
config.csp[:report_uri] = %W(#{CSP_REPORT_URI})
end
# Allow Bootstrap Linter in development mode. # Allow Bootstrap Linter in development mode.
if Rails.env.development? if Rails.env.development?
config.csp[:script_src] << "maxcdn.bootstrapcdn.com" config.csp[:script_src] << "maxcdn.bootstrapcdn.com"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment