Merge branch 'enable-csp-in-dev-and-ci-ce' into 'master'

[CE] Enable CSP in dev and CI

See merge request gitlab-org/gitlab-ce!31800
This commit is contained in:
Stan Hu 2019-08-22 22:02:58 +00:00
commit c65ea080ba
2 changed files with 29 additions and 5 deletions

View file

@ -50,12 +50,12 @@ production: &base
# Content Security Policy
# See https://guides.rubyonrails.org/security.html#content-security-policy
content_security_policy:
enabled: false
enabled: true
report_only: false
directives:
base_uri:
child_src:
connect_src: "'self' http://localhost:3808 ws://localhost:3808 wss://localhost:3000"
connect_src: "'self' http://localhost:* ws://localhost:* wss://localhost:*"
default_src: "'self'"
font_src:
form_action:
@ -64,10 +64,10 @@ production: &base
img_src: "* data: blob:"
manifest_src:
media_src:
object_src: "'self' http://localhost:3808 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
script_src:
object_src: "'none'"
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
style_src: "'self' 'unsafe-inline'"
worker_src: "http://localhost:3000 blob:"
worker_src: "'self' blob:"
report_uri:
# Trusted Proxies
@ -1099,6 +1099,27 @@ test:
host: localhost
port: 80
content_security_policy:
enabled: true
report_only: false
directives:
base_uri:
child_src:
connect_src:
default_src: "'self'"
font_src:
form_action:
frame_ancestors: "'self'"
frame_src: "'self' https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
img_src: "* data: blob:"
manifest_src:
media_src:
object_src: "'none'"
script_src: "'self' 'unsafe-eval' http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com"
style_src: "'self' 'unsafe-inline'"
worker_src: "'self' blob:"
report_uri:
# When you run tests we clone and set up gitlab-shell
# In order to set it up correctly you need to specify
# your system username you use to run GitLab

View file

@ -47,6 +47,9 @@ Capybara.register_driver :chrome do |app|
# Explicitly set user-data-dir to prevent crashes. See https://gitlab.com/gitlab-org/gitlab-ce/issues/58882#note_179811508
options.add_argument("user-data-dir=/tmp/chrome") if ENV['CI'] || ENV['CI_SERVER']
# Chrome 75 defaults to W3C mode which doesn't allow console log access
options.add_option(:w3c, false)
Capybara::Selenium::Driver.new(
app,
browser: :chrome,