Revert "Merge branch 'csp-basics' into 'master'

This reverts commit 9065f9c5, reversing changes made to f0b446e5.

Revert "Merge branch 'csp-basics' into 'master'
9a7815e4 · Robert Speicher · 76e78fca · 9a7815e4 · 9a7815e4 · 76e78fca
Commit 9a7815e4 authored Jul 20, 2016 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 116 deletions

Gemfile Gemfile +0 -3

Gemfile.lock Gemfile.lock +0 -4

secure_headers.rb config/initializers/secure_headers.rb +0 -109

No files found.
--- a/Gemfile
+++ b/Gemfile
@@ -349,6 +349,3 @@ gem 'health_check', '~> 2.1.0'
 # System information
 gem 'vmstat', '~> 2.1.0'
 gem 'sys-filesystem', '~> 1.1.6'
-
-# Secure headers for Content Security Policy
-gem 'secure_headers', '~> 3.3'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -645,8 +645,6 @@ GEM
    sdoc (0.3.20)
      json (>= 1.1.3)
      rdoc (~> 3.10)
-    secure_headers (3.3.2)
-      useragent
    seed-fu (2.3.6)
      activerecord (>= 3.1)
      activesupport (>= 3.1)
@@ -769,7 +767,6 @@ GEM
      get_process_mem (~> 0)
      unicorn (>= 4, < 6)
    uniform_notifier (1.9.0)
-    useragent (0.16.7)
    uuid (2.3.8)
      macaddr (~> 1.0)
    version_sorter (2.0.0)
@@ -947,7 +944,6 @@ DEPENDENCIES
  sass-rails (~> 5.0.0)
  scss_lint (~> 0.47.0)
  sdoc (~> 0.3.20)
-  secure_headers (~> 3.3)
  seed-fu (~> 2.3.5)
  select2-rails (~> 3.5.9)
  sentry-raven (~> 1.1.0)

--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
-# CSP headers have to have single quotes, so failures relating to quotes
-# inside Ruby string arrays are irrelevant.
-# rubocop:disable Lint/PercentStringArray
-require 'gitlab/current_settings'
-include Gitlab::CurrentSettings
-
-# If Sentry is enabled and the Rails app is running in production mode,
-# this will construct the Report URI for Sentry.
-if Rails.env.production? && current_application_settings.sentry_enabled
-  uri = URI.parse(current_application_settings.sentry_dsn)
-  CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}"
-else
-  CSP_REPORT_URI = ''
-end
-
-# Content Security Policy Headers
-# For more information on CSP see:
-# - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231
-# - https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
-SecureHeaders::Configuration.default do |config|
-  # Mark all cookies as "Secure", "HttpOnly", and "SameSite=Strict".
-  config.cookies = {
-    secure: true,
-    httponly: true,
-    samesite: {
-      strict: true 
-    }
-  }
-  config.x_content_type_options = "nosniff"
-  config.x_xss_protection = "1; mode=block"
-  config.x_download_options = "noopen"
-  config.x_permitted_cross_domain_policies = "none"
-  config.referrer_policy = "origin-when-cross-origin"
-  config.csp = {
-    # "Meta" values.
-    report_only: true,
-    preserve_schemes: true,
-
-    # "Directive" values.
-    # Default source allows nothing, more permissive values are set per-policy.
-    default_src: %w('none'),
-    # (Deprecated) Don't allow iframes.
-    frame_src: %w('none'),
-    # Only allow XMLHTTPRequests from the GitLab instance itself.
-    connect_src: %w('self'),
-    # Only load local fonts.
-    font_src: %w('self'),
-    # Load local images, any external image available over HTTPS.
-    img_src: %w(* 'self' data:),
-    # Audio and video can't be played on GitLab currently, so it's disabled.
-    media_src: %w('none'),
-    # Don't allow <object>, <embed>, or <applet> elements.
-    object_src: %w('none'),
-    # Allow local scripts and inline scripts.
-    script_src: %w('unsafe-inline' 'unsafe-eval' 'self'),
-    # Allow local stylesheets and inline styles.
-    style_src: %w('unsafe-inline' 'self'),
-    # The URIs that a user agent may use as the document base URL.
-    base_uri: %w('self'),
-    # Only allow local iframes and service workers
-    child_src: %w('self'),
-    # Only submit form information to the GitLab instance.
-    form_action: %w('self'),
-    # Disallow any parents from embedding a page in an iframe.
-    frame_ancestors: %w('none'),
-    # Don't allow any plugins (Flash, Shockwave, etc.)
-    plugin_types: %w(),
-    # Blocks all mixed (HTTP) content.
-    block_all_mixed_content: true,
-    # Upgrades insecure requests to HTTPS when possible.
-    upgrade_insecure_requests: true
-  }
-
-  # Reports are sent to Sentry if it's enabled.
-  if current_application_settings.sentry_enabled
-    config.csp[:report_uri] = %W(#{CSP_REPORT_URI})
-  end
-
-  # Allow Bootstrap Linter in development mode.
-  if Rails.env.development?
-    config.csp[:script_src] << "maxcdn.bootstrapcdn.com"
-  end
-
-  # reCAPTCHA
-  if current_application_settings.recaptcha_enabled
-    config.csp[:script_src] << "https://www.google.com/recaptcha/"
-    config.csp[:script_src] << "https://www.gstatic.com/recaptcha/"
-    config.csp[:frame_src] << "https://www.google.com/recaptcha/"
-    config.x_frame_options = "SAMEORIGIN"
-  end
-
-  # Gravatar
-  if current_application_settings.gravatar_enabled?
-    config.csp[:img_src] << "www.gravatar.com"
-    config.csp[:img_src] << "secure.gravatar.com"
-    config.csp[:img_src] << Gitlab.config.gravatar.host
-  end
-
-  # Piwik
-  if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id')
-    config.csp[:script_src] << Gitlab.config.extra.piwik_url
-    config.csp[:img_src] << Gitlab.config.extra.piwik_url
-  end
-
-  # Google Analytics
-  if Gitlab.config.extra.has_key?('google_analytics_id')
-    config.csp[:script_src] << "https://www.google-analytics.com"
-  end
-end