Skip to content

G
gitlab-ce
Commit b2752c46 authored by Connor Shea's avatar Connor Shea
Browse files
Options

Only enable CSP policies when relevant features are enabled. 

Gravatar, Google Analytics, Piwik, Recaptcha, etc.
parent fa56c34b
Hide whitespace changes
Inline Side-by-side
Showing with 27 additions and 1 deletion
config/initializers/secure_headers.rb
View file @ b2752c46
......@@ -32,7 +32,7 @@ SecureHeaders::Configuration.default do |config|
frame_src: %w('self'),
connect_src: %w('self'),
font_src: %w('self'),
img_src: %w('self' www.gravatar.com secure.gravatar.com https:),
img_src: %w('self' https:),
media_src: %w('none'),
object_src: %w('none'),
script_src: %w('unsafe-inline' 'self'),
......@@ -46,7 +46,33 @@ SecureHeaders::Configuration.default do |config|
report_uri: %W(#{CSP_REPORT_URI})
}
# Allow Bootstrap Linter in development mode.
if Rails.env.development?
config.csp[:script_src] << "maxcdn.bootstrapcdn.com"
end
# Recaptcha
if current_application_settings.recaptcha_enabled
config.csp[:script_src] << "https://www.google.com/recaptcha/"
config.csp[:script_src] << "https://www.gstatic.com/recaptcha/"
config.csp[:frame_src] << "https://www.google.com/recaptcha/"
end
# Gravatar
if current_application_settings.gravatar_enabled?
config.csp[:img_src] << "www.gravatar.com"
config.csp[:img_src] << "secure.gravatar.com"
config.csp[:img_src] << Gitlab.config.gravatar.host
end
# Piwik
if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id')
config.csp[:script_src] << Gitlab.config.extra.piwik_url
config.csp[:img_src] << Gitlab.config.extra.piwik_url
end
# Google Analytics
if Gitlab.config.extra.has_key?('google_analytics_id')
config.csp[:script_src] << "https://www.google-analytics.com"
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7