2019-08-06 02:14:32 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
csp_settings = Settings.gitlab.content_security_policy
|
|
|
|
|
2021-08-13 17:09:54 -04:00
|
|
|
csp_settings['enabled'] = Gitlab::ContentSecurityPolicy::ConfigLoader.default_enabled if csp_settings['enabled'].nil?
|
|
|
|
csp_settings['report_only'] = false if csp_settings['report_only'].nil?
|
|
|
|
csp_settings['directives'] ||= {}
|
|
|
|
|
2019-08-06 02:14:32 -04:00
|
|
|
if csp_settings['enabled']
|
|
|
|
# See https://guides.rubyonrails.org/security.html#content-security-policy
|
|
|
|
Rails.application.config.content_security_policy do |policy|
|
2021-08-13 17:09:54 -04:00
|
|
|
loader = ::Gitlab::ContentSecurityPolicy::ConfigLoader.new(csp_settings['directives'].to_h)
|
2019-08-06 02:14:32 -04:00
|
|
|
loader.load(policy)
|
|
|
|
end
|
|
|
|
|
|
|
|
Rails.application.config.content_security_policy_report_only = csp_settings['report_only']
|
|
|
|
Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
|
2020-01-29 13:08:47 -05:00
|
|
|
Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
|
2019-08-06 02:14:32 -04:00
|
|
|
end
|