Commit 92005fb7 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu Committed by Stan Hu

Enable CSP in gitlab.yml.example

This enables CSP in dev and CI
parent 8308469f
...@@ -50,12 +50,12 @@ production: &base ...@@ -50,12 +50,12 @@ production: &base
# Content Security Policy # Content Security Policy
# See https://guides.rubyonrails.org/security.html#content-security-policy # See https://guides.rubyonrails.org/security.html#content-security-policy
content_security_policy: content_security_policy:
enabled: false enabled: true
report_only: false report_only: false
directives: directives:
base_uri: base_uri:
child_src: child_src:
connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000" connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
default_src: "'self'" default_src: "'self'"
font_src: font_src:
form_action: form_action:
...@@ -64,10 +64,10 @@ production: &base ...@@ -64,10 +64,10 @@ production: &base
img_src: "* data: blob:" img_src: "* data: blob:"
manifest_src: manifest_src:
media_src: media_src:
object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" object_src: "'none'"
script_src: script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
style_src: "'self' 'unsafe-inline'" style_src: "'self' 'unsafe-inline'"
worker_src: "http://localhost:3000 blob:" worker_src: "'self' blob:"
report_uri: report_uri:
# Trusted Proxies # Trusted Proxies
...@@ -1099,6 +1099,27 @@ test: ...@@ -1099,6 +1099,27 @@ test:
host: localhost host: localhost
port: 80 port: 80
content_security_policy:
enabled: true
report_only: false
directives:
base_uri:
child_src:
connect_src:
default_src: "'self'"
font_src:
form_action:
frame_ancestors: "'self'"
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
img_src: "* data: blob:"
manifest_src:
media_src:
object_src: "'none'"
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
style_src: "'self' 'unsafe-inline'"
worker_src: "'self' blob:"
report_uri:
# When you run tests we clone and set up gitlab-shell # When you run tests we clone and set up gitlab-shell
# In order to set it up correctly you need to specify # In order to set it up correctly you need to specify
# your system username you use to run GitLab # your system username you use to run GitLab
......
...@@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app| ...@@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app|
# Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508 # Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508
options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER'] options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER']
# Chrome 75 defaults to W3C mode which doesn't allow console log access
options.add_option(:w3c, false)
Capybara::Selenium::Driver.new( Capybara::Selenium::Driver.new(
app, app,
browser: :chrome, browser: :chrome,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment