gitlab-org--gitlab-foss

Commit Graph

Author	SHA1	Message	Date
GitLab Bot	30e5ae4c2b	Add latest changes from gitlab-org/gitlab@master	2021-10-06 18:12:19 +00:00
GitLab Bot	79ecd9a748	Add latest changes from gitlab-org/gitlab@master	2021-08-13 21:09:54 +00:00
GitLab Bot	e6de69cc2e	Add latest changes from gitlab-org/gitlab@master	2021-08-12 03:10:11 +00:00
GitLab Bot	caff5659c9	Add latest changes from gitlab-org/gitlab@master	2021-08-10 21:10:06 +00:00
GitLab Bot	7c28a67789	Add latest changes from gitlab-org/gitlab@master	2021-06-30 12:07:58 +00:00
GitLab Bot	4f41b713eb	Add latest changes from gitlab-org/gitlab@master	2021-06-03 15:10:01 +00:00
GitLab Bot	e5f1831403	Add latest changes from gitlab-org/gitlab@master	2021-06-03 09:10:18 +00:00
GitLab Bot	685084aaf4	Add latest changes from gitlab-org/gitlab@master	2021-06-03 06:10:07 +00:00
GitLab Bot	8c438dd7a6	Add latest changes from gitlab-org/gitlab@master	2021-06-01 12:09:36 +00:00
GitLab Bot	c0bc55ffe1	Add latest changes from gitlab-org/gitlab@master	2021-05-25 21:10:26 +00:00
GitLab Bot	c33a9adb70	Add latest changes from gitlab-org/gitlab@master	2021-05-11 12:10:20 +00:00
Stan Hu	d265408c26	Add missing report-uri to CSP config This is supported in Rails 5.2, although it may be deprecated in the future by reports-to.	2019-08-07 11:21:08 -07:00
Stan Hu	5fbbd3dd6e	Add support for Content-Security-Policy A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present.	2019-08-07 12:37:31 +10:00

13 Commits