BigW Consortium Gitlab

Only enable CSP policies when relevant features are enabled.

Gravatar, Google Analytics, Piwik, Recaptcha, etc.
parent fa56c34b
......@@ -32,7 +32,7 @@ SecureHeaders::Configuration.default do |config|
frame_src: %w('self'),
connect_src: %w('self'),
font_src: %w('self'),
img_src: %w('self' www.gravatar.com secure.gravatar.com https:),
img_src: %w('self' https:),
media_src: %w('none'),
object_src: %w('none'),
script_src: %w('unsafe-inline' 'self'),
......@@ -46,7 +46,33 @@ SecureHeaders::Configuration.default do |config|
report_uri: %W(#{CSP_REPORT_URI})
}
# Allow Bootstrap Linter in development mode.
if Rails.env.development?
config.csp[:script_src] << "maxcdn.bootstrapcdn.com"
end
# Recaptcha
if current_application_settings.recaptcha_enabled
config.csp[:script_src] << "https://www.google.com/recaptcha/"
config.csp[:script_src] << "https://www.gstatic.com/recaptcha/"
config.csp[:frame_src] << "https://www.google.com/recaptcha/"
end
# Gravatar
if current_application_settings.gravatar_enabled?
config.csp[:img_src] << "www.gravatar.com"
config.csp[:img_src] << "secure.gravatar.com"
config.csp[:img_src] << Gitlab.config.gravatar.host
end
# Piwik
if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id')
config.csp[:script_src] << Gitlab.config.extra.piwik_url
config.csp[:img_src] << Gitlab.config.extra.piwik_url
end
# Google Analytics
if Gitlab.config.extra.has_key?('google_analytics_id')
config.csp[:script_src] << "https://www.google-analytics.com"
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment