gitlab-org--gitlab-foss

Commit Graph

Author	SHA1	Message	Date
GitLab Bot	79ecd9a748	Add latest changes from gitlab-org/gitlab@master	2021-08-13 21:09:54 +00:00
GitLab Bot	6b9d3a4e83	Add latest changes from gitlab-org/gitlab@master	2020-01-29 18:08:47 +00:00
Stan Hu	5fbbd3dd6e	Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present.	2019-08-07 12:37:31 +10:00

Author

SHA1

Message

Date

GitLab Bot

79ecd9a748

Add latest changes from gitlab-org/gitlab@master

2021-08-13 21:09:54 +00:00

GitLab Bot

6b9d3a4e83

Add latest changes from gitlab-org/gitlab@master

2020-01-29 18:08:47 +00:00

Stan Hu

5fbbd3dd6e

Add support for Content-Security-Policy

A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.

To support this, we need to change all `:javascript` HAML filters to the
following form:

```
= javascript_tag nonce: true do
  :plain
    ...
```

We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.

2019-08-07 12:37:31 +10:00

3 Commits