diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-07 17:47:00 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-07 17:47:00 +0300 |
commit | 08086ff522742c28a6b10e9b2ed71f0af6633e5b (patch) | |
tree | 5a4fde8b23140cb4edf04b24854b53f87085dd42 /lib/gitlab | |
parent | 8f3fbbf0d56091ad87158f61bf2a4e96a7f937e3 (diff) |
Add latest changes from gitlab-org/gitlab@13-12-stable-ee
Diffstat (limited to 'lib/gitlab')
-rw-r--r-- | lib/gitlab/content_security_policy/config_loader.rb | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index 6f6147f0f32..e42b174e085 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -9,21 +9,20 @@ module Gitlab def self.default_settings_hash settings_hash = { - 'enabled' => true, + 'enabled' => Rails.env.development? || Rails.env.test?, 'report_only' => false, 'directives' => { 'default_src' => "'self'", 'base_uri' => "'self'", - 'child_src' => "'none'", 'connect_src' => "'self'", 'font_src' => "'self'", 'form_action' => "'self' https: http:", 'frame_ancestors' => "'self'", - 'frame_src' => "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", + 'frame_src' => "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com", 'img_src' => "'self' data: blob: http: https:", 'manifest_src' => "'self'", 'media_src' => "'self'", - 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com", + 'script_src' => "'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com", 'style_src' => "'self' 'unsafe-inline'", 'worker_src' => "'self'", 'object_src' => "'none'", @@ -31,6 +30,11 @@ module Gitlab } } + # frame-src was deprecated in CSP level 2 in favor of child-src + # CSP level 3 "undeprecated" frame-src and browsers fall back on child-src if it's missing + # However Safari seems to read child-src first so we'll just keep both equal + settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src'] + allow_webpack_dev_server(settings_hash) if Rails.env.development? allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present? |