gitlab-org--gitlab-foss/config/initializers/content_security_policy.rb

# frozen_string_literal: true

csp_settings = Settings.gitlab.content_security_policy

csp_settings['enabled'] = Gitlab::ContentSecurityPolicy::ConfigLoader.default_enabled if csp_settings['enabled'].nil?
csp_settings['report_only'] = false if csp_settings['report_only'].nil?
csp_settings['directives'] ||= {}

if csp_settings['enabled']
  csp_settings['directives'] = ::Gitlab::ContentSecurityPolicy::ConfigLoader.default_directives if csp_settings['directives'].empty?

  # See https://guides.rubyonrails.org/security.html#content-security-policy
  Rails.application.config.content_security_policy do |policy|
    loader = ::Gitlab::ContentSecurityPolicy::ConfigLoader.new(csp_settings['directives'].to_h)
    loader.load(policy)
  end

  Rails.application.config.content_security_policy_report_only = csp_settings['report_only']
  Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
  Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
end
Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. 2019-08-06 02:14:32 -04:00			`# frozen_string_literal: true`

			`csp_settings = Settings.gitlab.content_security_policy`

Add latest changes from gitlab-org/gitlab@master 2021-08-13 17:09:54 -04:00			`csp_settings['enabled'] = Gitlab::ContentSecurityPolicy::ConfigLoader.default_enabled if csp_settings['enabled'].nil?`
			`csp_settings['report_only'] = false if csp_settings['report_only'].nil?`
			`csp_settings['directives'] \|\|= {}`

Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. 2019-08-06 02:14:32 -04:00			`if csp_settings['enabled']`
Add latest changes from gitlab-org/gitlab@master 2021-08-13 17:09:54 -04:00			`csp_settings['directives'] = ::Gitlab::ContentSecurityPolicy::ConfigLoader.default_directives if csp_settings['directives'].empty?`

Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. 2019-08-06 02:14:32 -04:00			`# See https://guides.rubyonrails.org/security.html#content-security-policy`
			`Rails.application.config.content_security_policy do \|policy\|`
Add latest changes from gitlab-org/gitlab@master 2021-08-13 17:09:54 -04:00			`loader = ::Gitlab::ContentSecurityPolicy::ConfigLoader.new(csp_settings['directives'].to_h)`
Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. 2019-08-06 02:14:32 -04:00			`loader.load(policy)`
			`end`

			`Rails.application.config.content_security_policy_report_only = csp_settings['report_only']`
			`Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }`
Add latest changes from gitlab-org/gitlab@master 2020-01-29 13:08:47 -05:00			`Rails.application.config.content_security_policy_nonce_directives = %w(script-src)`
Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. 2019-08-06 02:14:32 -04:00			`end`