A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.
To support this, we need to change all `:javascript` HAML filters to the
following form:
```
= javascript_tag nonce: true do
:plain
...
```
We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.
It persist temporary personal snippets under
user/:id namespaces temporarily while creating
a upload record to track it. If an user gets removed
while it's still a tmp upload, it also gets removed.
If the tmp upload is sent, the upload gets moved to
personal_snippets/:id as before. The upload record
also gets updated to the new model type as well.
- Split up SnippetsController into separate dashboard and explore sections.
- Use consistent page titles, header titles and sidebars between dashboard and explore sections when signed in or not.
* projects from explore page are available from dashboard
* use dashboard sidebar for both logged in and not users
* move explroe projects under projects tab
* move explore groups under groups tab
* move public snippets under snippets tab
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
GitLab Bot