From c2fe22f8f419a8e562f0f34e8c0f478aefc34ec0 Mon Sep 17 00:00:00 2001
From: Connor Shea <connor.james.shea@gmail.com>
Date: Mon, 18 Jul 2016 12:30:23 -0600
Subject: [PATCH] Minor policy refinements.

---
 config/initializers/secure_headers.rb | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 7a2f0eab3c0..9fd24a667cc 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -1,3 +1,6 @@
+# CSP headers have to have single quotes, so failures relating to quotes
+# inside Ruby string arrays are irrelevant.
+# rubocop:disable Lint/PercentStringArray
 require 'gitlab/current_settings'
 include Gitlab::CurrentSettings
 
@@ -23,8 +26,6 @@ SecureHeaders::Configuration.default do |config|
       strict: true 
     }
   }
-  # Disallow iframes.
-  config.x_frame_options = "DENY"
   config.x_content_type_options = "nosniff"
   config.x_xss_protection = "1; mode=block"
   config.x_download_options = "noopen"
@@ -45,13 +46,13 @@ SecureHeaders::Configuration.default do |config|
     # Only load local fonts.
     font_src: %w('self'),
     # Load local images, any external image available over HTTPS.
-    img_src: %w('self' https:),
+    img_src: %w(* 'self' data:),
     # Audio and video can't be played on GitLab currently, so it's disabled.
     media_src: %w('none'),
     # Don't allow <object>, <embed>, or <applet> elements.
     object_src: %w('none'),
     # Allow local scripts and inline scripts.
-    script_src: %w('unsafe-inline' 'self'),
+    script_src: %w('unsafe-inline' 'unsafe-eval' 'self'),
     # Allow local stylesheets and inline styles.
     style_src: %w('unsafe-inline' 'self'),
     # The URIs that a user agent may use as the document base URL.
@@ -63,15 +64,18 @@ SecureHeaders::Configuration.default do |config|
     # Disallow any parents from embedding a page in an iframe.
     frame_ancestors: %w('none'),
     # Don't allow any plugins (Flash, Shockwave, etc.)
-    plugin_types: %w('none'),
+    plugin_types: %w(),
     # Blocks all mixed (HTTP) content.
     block_all_mixed_content: true,
     # Upgrades insecure requests to HTTPS when possible.
-    upgrade_insecure_requests: true,
-    # Reports are sent to Sentry if it's enabled, nowhere otherwise.
-    report_uri: %W(#{CSP_REPORT_URI})
+    upgrade_insecure_requests: true
   }
 
+  # Reports are sent to Sentry if it's enabled.
+  if current_application_settings.sentry_enabled
+    config.csp[:report_uri] = %W(#{CSP_REPORT_URI})
+  end
+
   # Allow Bootstrap Linter in development mode.
   if Rails.env.development?
     config.csp[:script_src] << "maxcdn.bootstrapcdn.com"