diff options
Diffstat (limited to 'config/initializers/secure_headers.rb')
-rw-r--r-- | config/initializers/secure_headers.rb | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 66aca5fb46b..e69117e0521 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -2,7 +2,6 @@ require 'gitlab/current_settings' include Gitlab::CurrentSettings uri = URI.parse(current_application_settings.sentry_dsn) - CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}" SecureHeaders::Configuration.default do |config| @@ -32,7 +31,7 @@ SecureHeaders::Configuration.default do |config| img_src: %w('self' www.gravatar.com secure.gravatar.com https:), media_src: %w('none'), object_src: %w('none'), - script_src: %w('unsafe-inline' 'self' maxcdn.bootstrapcdn.com), + script_src: %w('unsafe-inline' 'self'), style_src: %w('unsafe-inline' 'self'), base_uri: %w('self'), child_src: %w('self'), @@ -42,4 +41,13 @@ SecureHeaders::Configuration.default do |config| upgrade_insecure_requests: true, # see https://www.w3.org/TR/upgrade-insecure-requests/ report_uri: %W(#{CSP_REPORT_URI}) } + + if Rails.env.development? + config.csp[:script_src] << "maxcdn.bootstrapcdn.com" + end +end + +SecureHeaders::Configuration.override(:background_jobs) do |config| + config.csp[:frame_ancestors] = %w('self') + config.x_frame_options = 'SAMEORIGIN' end |