Merge branch 'csp-basics' into 'master'
Content Security Policy Ref: #18231 This uses twitter's [secure_headers gem](https://github.com/twitter/secureheaders). See merge request !4770
This commit is contained in:
commit
9065f9c5ff
3
Gemfile
3
Gemfile
|
@ -349,3 +349,6 @@ gem 'health_check', '~> 2.1.0'
|
|||
# System information
|
||||
gem 'vmstat', '~> 2.1.0'
|
||||
gem 'sys-filesystem', '~> 1.1.6'
|
||||
|
||||
# Secure headers for Content Security Policy
|
||||
gem 'secure_headers', '~> 3.3'
|
||||
|
|
|
@ -645,6 +645,8 @@ GEM
|
|||
sdoc (0.3.20)
|
||||
json (>= 1.1.3)
|
||||
rdoc (~> 3.10)
|
||||
secure_headers (3.3.2)
|
||||
useragent
|
||||
seed-fu (2.3.6)
|
||||
activerecord (>= 3.1)
|
||||
activesupport (>= 3.1)
|
||||
|
@ -767,6 +769,7 @@ GEM
|
|||
get_process_mem (~> 0)
|
||||
unicorn (>= 4, < 6)
|
||||
uniform_notifier (1.9.0)
|
||||
useragent (0.16.7)
|
||||
uuid (2.3.8)
|
||||
macaddr (~> 1.0)
|
||||
version_sorter (2.0.0)
|
||||
|
@ -944,6 +947,7 @@ DEPENDENCIES
|
|||
sass-rails (~> 5.0.0)
|
||||
scss_lint (~> 0.47.0)
|
||||
sdoc (~> 0.3.20)
|
||||
secure_headers (~> 3.3)
|
||||
seed-fu (~> 2.3.5)
|
||||
select2-rails (~> 3.5.9)
|
||||
sentry-raven (~> 1.1.0)
|
||||
|
|
|
@ -0,0 +1,109 @@
|
|||
# CSP headers have to have single quotes, so failures relating to quotes
|
||||
# inside Ruby string arrays are irrelevant.
|
||||
# rubocop:disable Lint/PercentStringArray
|
||||
require 'gitlab/current_settings'
|
||||
include Gitlab::CurrentSettings
|
||||
|
||||
# If Sentry is enabled and the Rails app is running in production mode,
|
||||
# this will construct the Report URI for Sentry.
|
||||
if Rails.env.production? && current_application_settings.sentry_enabled
|
||||
uri = URI.parse(current_application_settings.sentry_dsn)
|
||||
CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}"
|
||||
else
|
||||
CSP_REPORT_URI = ''
|
||||
end
|
||||
|
||||
# Content Security Policy Headers
|
||||
# For more information on CSP see:
|
||||
# - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231
|
||||
# - https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
|
||||
SecureHeaders::Configuration.default do |config|
|
||||
# Mark all cookies as "Secure", "HttpOnly", and "SameSite=Strict".
|
||||
config.cookies = {
|
||||
secure: true,
|
||||
httponly: true,
|
||||
samesite: {
|
||||
strict: true
|
||||
}
|
||||
}
|
||||
config.x_content_type_options = "nosniff"
|
||||
config.x_xss_protection = "1; mode=block"
|
||||
config.x_download_options = "noopen"
|
||||
config.x_permitted_cross_domain_policies = "none"
|
||||
config.referrer_policy = "origin-when-cross-origin"
|
||||
config.csp = {
|
||||
# "Meta" values.
|
||||
report_only: true,
|
||||
preserve_schemes: true,
|
||||
|
||||
# "Directive" values.
|
||||
# Default source allows nothing, more permissive values are set per-policy.
|
||||
default_src: %w('none'),
|
||||
# (Deprecated) Don't allow iframes.
|
||||
frame_src: %w('none'),
|
||||
# Only allow XMLHTTPRequests from the GitLab instance itself.
|
||||
connect_src: %w('self'),
|
||||
# Only load local fonts.
|
||||
font_src: %w('self'),
|
||||
# Load local images, any external image available over HTTPS.
|
||||
img_src: %w(* 'self' data:),
|
||||
# Audio and video can't be played on GitLab currently, so it's disabled.
|
||||
media_src: %w('none'),
|
||||
# Don't allow <object>, <embed>, or <applet> elements.
|
||||
object_src: %w('none'),
|
||||
# Allow local scripts and inline scripts.
|
||||
script_src: %w('unsafe-inline' 'unsafe-eval' 'self'),
|
||||
# Allow local stylesheets and inline styles.
|
||||
style_src: %w('unsafe-inline' 'self'),
|
||||
# The URIs that a user agent may use as the document base URL.
|
||||
base_uri: %w('self'),
|
||||
# Only allow local iframes and service workers
|
||||
child_src: %w('self'),
|
||||
# Only submit form information to the GitLab instance.
|
||||
form_action: %w('self'),
|
||||
# Disallow any parents from embedding a page in an iframe.
|
||||
frame_ancestors: %w('none'),
|
||||
# Don't allow any plugins (Flash, Shockwave, etc.)
|
||||
plugin_types: %w(),
|
||||
# Blocks all mixed (HTTP) content.
|
||||
block_all_mixed_content: true,
|
||||
# Upgrades insecure requests to HTTPS when possible.
|
||||
upgrade_insecure_requests: true
|
||||
}
|
||||
|
||||
# Reports are sent to Sentry if it's enabled.
|
||||
if current_application_settings.sentry_enabled
|
||||
config.csp[:report_uri] = %W(#{CSP_REPORT_URI})
|
||||
end
|
||||
|
||||
# Allow Bootstrap Linter in development mode.
|
||||
if Rails.env.development?
|
||||
config.csp[:script_src] << "maxcdn.bootstrapcdn.com"
|
||||
end
|
||||
|
||||
# reCAPTCHA
|
||||
if current_application_settings.recaptcha_enabled
|
||||
config.csp[:script_src] << "https://www.google.com/recaptcha/"
|
||||
config.csp[:script_src] << "https://www.gstatic.com/recaptcha/"
|
||||
config.csp[:frame_src] << "https://www.google.com/recaptcha/"
|
||||
config.x_frame_options = "SAMEORIGIN"
|
||||
end
|
||||
|
||||
# Gravatar
|
||||
if current_application_settings.gravatar_enabled?
|
||||
config.csp[:img_src] << "www.gravatar.com"
|
||||
config.csp[:img_src] << "secure.gravatar.com"
|
||||
config.csp[:img_src] << Gitlab.config.gravatar.host
|
||||
end
|
||||
|
||||
# Piwik
|
||||
if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id')
|
||||
config.csp[:script_src] << Gitlab.config.extra.piwik_url
|
||||
config.csp[:img_src] << Gitlab.config.extra.piwik_url
|
||||
end
|
||||
|
||||
# Google Analytics
|
||||
if Gitlab.config.extra.has_key?('google_analytics_id')
|
||||
config.csp[:script_src] << "https://www.google-analytics.com"
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue