Merge branch 'enable-csp-in-dev-and-ci-ce' into 'master'

[CE] Enable CSP in dev and CI See merge request gitlab-org/gitlab-ce!31800

Merge branch 'enable-csp-in-dev-and-ci-ce' into 'master'
[CE] Enable CSP in dev and CI See merge request gitlab-org/gitlab-ce!31800
c65ea080 · Stan Hu · 8308469f · 92005fb7 · c65ea080 · c65ea080
Commit c65ea080 authored Aug 22, 2019 by Stan Hu
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 5 deletions

config/gitlab.yml.example config/gitlab.yml.example +26 -5

spec/support/capybara.rb spec/support/capybara.rb +3 -0

No files found.
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -50,12 +50,12 @@ production: &base
    # Content Security Policy
    # See https://guides.rubyonrails.org/security.html#content-security-policy
    content_security_policy:
-      enabled: false
+      enabled: true
      report_only: false
      directives:
        base_uri:
        child_src:
-        connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000"
+        connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
        default_src: "'self'"
        font_src:
        form_action:
@@ -64,10 +64,10 @@ production: &base
        img_src: "* data: blob:"
        manifest_src:
        media_src:
-        object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
-        script_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
        style_src: "'self' 'unsafe-inline'"
-        worker_src: "http://localhost:3000 blob:"
+        worker_src: "'self' blob:"
        report_uri:

    # Trusted Proxies
@@ -1099,6 +1099,27 @@ test:
    host: localhost
    port: 80

+    content_security_policy:
+      enabled: true
+      report_only: false
+      directives:
+        base_uri:
+        child_src:
+        connect_src:
+        default_src: "'self'"
+        font_src:
+        form_action:
+        frame_ancestors: "'self'"
+        frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
+        img_src: "* data: blob:"
+        manifest_src:
+        media_src:
+        object_src: "'none'"
+        script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
+        style_src: "'self' 'unsafe-inline'"
+        worker_src: "'self' blob:"
+        report_uri:
+
    # When you run tests we clone and set up gitlab-shell
    # In order to set it up correctly you need to specify
    # your system username you use to run GitLab

--- a/spec/support/capybara.rb
+++ b/spec/support/capybara.rb
@@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app|
  # Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508
  options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER']

+  # Chrome 75 defaults to W3C mode which doesn't allow console log access
+  options.add_option(:w3c, false)
+
  Capybara::Selenium::Driver.new(
    app,
    browser: :chrome,