Add Content Secure Policy headers

author: Achilleas Pipinellis <axil@gitlab.com> 2020-09-09 15:12:37 +0300
committer: Jean du Plessis <jduplessis@gitlab.com> 2020-09-09 15:12:37 +0300
commit: baf1605b9b7ff52ed1eba8e1a67bf3d0b026588f (patch)
tree: 849225002be670a1be60f3ea5f6c5d5bf08070d1 /layouts/head.html
parent: 91f5c6f438d9ffdaa02d8f313a05fe9414df407e (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/layouts/head.html b/layouts/head.html
index 71871884..d4fcd72f 100644
--- a/layouts/head.html
+++ b/layouts/head.html
@@ -20,6 +20,9 @@
 <% else %>
 <meta name="docsearch:version" content="master" />
 <% end %>
+<% if is_production? and ENV['CI_COMMIT_REF_NAME'] == 'master' %>
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none'; style-src 'self' https://stackpath.bootstrapcdn.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; font-src 'self' https://cdnjs.cloudflare.com;">
+<% end %>
 <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" integrity="sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z" crossorigin="anonymous">
 <link rel="stylesheet" href="<%= @items['/assets/stylesheets/stylesheet.*'].path %>">
 <link rel="stylesheet" href="<%= @items['/assets/stylesheets/highlight.*'].path %>">
author	Achilleas Pipinellis <axil@gitlab.com>	2020-09-09 15:12:37 +0300
committer	Jean du Plessis <jduplessis@gitlab.com>	2020-09-09 15:12:37 +0300
commit	baf1605b9b7ff52ed1eba8e1a67bf3d0b026588f (patch)
tree	849225002be670a1be60f3ea5f6c5d5bf08070d1 /layouts/head.html
parent	91f5c6f438d9ffdaa02d8f313a05fe9414df407e (diff)