Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
7ee0ed4e
Commit
7ee0ed4e
authored
Nov 11, 2021
by
Zhu Shung
Committed by
Lin Jen-Shin
Nov 11, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move srcs to module of ContentSecurityPolicy::Directives
parent
ec26ccc0
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
27 additions
and
6 deletions
+27
-6
lib/gitlab/content_security_policy/config_loader.rb
lib/gitlab/content_security_policy/config_loader.rb
+2
-2
lib/gitlab/content_security_policy/directives.rb
lib/gitlab/content_security_policy/directives.rb
+21
-0
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
.../lib/gitlab/content_security_policy/config_loader_spec.rb
+4
-4
No files found.
lib/gitlab/content_security_policy/config_loader.rb
View file @
7ee0ed4e
...
@@ -19,11 +19,11 @@ module Gitlab
...
@@ -19,11 +19,11 @@ module Gitlab
'font_src'
=>
"'self'"
,
'font_src'
=>
"'self'"
,
'form_action'
=>
"'self' https: http:"
,
'form_action'
=>
"'self' https: http:"
,
'frame_ancestors'
=>
"'self'"
,
'frame_ancestors'
=>
"'self'"
,
'frame_src'
=>
"https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
,
'frame_src'
=>
ContentSecurityPolicy
::
Directives
.
frame_src
,
'img_src'
=>
"'self' data: blob: http: https:"
,
'img_src'
=>
"'self' data: blob: http: https:"
,
'manifest_src'
=>
"'self'"
,
'manifest_src'
=>
"'self'"
,
'media_src'
=>
"'self'"
,
'media_src'
=>
"'self'"
,
'script_src'
=>
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com"
,
'script_src'
=>
ContentSecurityPolicy
::
Directives
.
script_src
,
'style_src'
=>
"'self' 'unsafe-inline'"
,
'style_src'
=>
"'self' 'unsafe-inline'"
,
'worker_src'
=>
"
#{
Gitlab
::
Utils
.
append_path
(
Gitlab
.
config
.
gitlab
.
url
,
'assets/'
)
}
blob: data:"
,
'worker_src'
=>
"
#{
Gitlab
::
Utils
.
append_path
(
Gitlab
.
config
.
gitlab
.
url
,
'assets/'
)
}
blob: data:"
,
'object_src'
=>
"'none'"
,
'object_src'
=>
"'none'"
,
...
...
lib/gitlab/content_security_policy/directives.rb
0 → 100644
View file @
7ee0ed4e
# frozen_string_literal: true
# This module is used to return various SaaS related
# ContentSecurityPolicy Directives src which may be
# overridden in other variants of GitLab
module
Gitlab
module
ContentSecurityPolicy
module
Directives
def
self
.
frame_src
"https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
end
def
self
.
script_src
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com"
end
end
end
end
Gitlab
::
ContentSecurityPolicy
::
Directives
.
prepend_mod
spec/lib/gitlab/content_security_policy/config_loader_spec.rb
View file @
7ee0ed4e
...
@@ -81,11 +81,11 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
...
@@ -81,11 +81,11 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
end
it
'adds CDN host to CSP'
do
it
'adds CDN host to CSP'
do
expect
(
directives
[
'script_src'
]).
to
eq
(
"'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com
https://cdn.example.com"
)
expect
(
directives
[
'script_src'
]).
to
eq
(
::
Gitlab
::
ContentSecurityPolicy
::
Directives
.
script_src
+
"
https://cdn.example.com"
)
expect
(
directives
[
'style_src'
]).
to
eq
(
"'self' 'unsafe-inline' https://cdn.example.com"
)
expect
(
directives
[
'style_src'
]).
to
eq
(
"'self' 'unsafe-inline' https://cdn.example.com"
)
expect
(
directives
[
'font_src'
]).
to
eq
(
"'self' https://cdn.example.com"
)
expect
(
directives
[
'font_src'
]).
to
eq
(
"'self' https://cdn.example.com"
)
expect
(
directives
[
'worker_src'
]).
to
eq
(
'http://localhost/assets/ blob: data: https://cdn.example.com'
)
expect
(
directives
[
'worker_src'
]).
to
eq
(
'http://localhost/assets/ blob: data: https://cdn.example.com'
)
expect
(
directives
[
'frame_src'
]).
to
eq
(
"https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com
https://cdn.example.com http://localhost/admin/sidekiq http://localhost/admin/sidekiq/ http://localhost/-/speedscope/index.html"
)
expect
(
directives
[
'frame_src'
]).
to
eq
(
::
Gitlab
::
ContentSecurityPolicy
::
Directives
.
frame_src
+
"
https://cdn.example.com http://localhost/admin/sidekiq http://localhost/admin/sidekiq/ http://localhost/-/speedscope/index.html"
)
end
end
end
end
...
@@ -113,7 +113,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
...
@@ -113,7 +113,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
end
it
'does not add CUSTOMER_PORTAL_URL to CSP'
do
it
'does not add CUSTOMER_PORTAL_URL to CSP'
do
expect
(
directives
[
'frame_src'
]).
to
eq
(
"https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com
http://localhost/admin/sidekiq http://localhost/admin/sidekiq/ http://localhost/-/speedscope/index.html"
)
expect
(
directives
[
'frame_src'
]).
to
eq
(
::
Gitlab
::
ContentSecurityPolicy
::
Directives
.
frame_src
+
"
http://localhost/admin/sidekiq http://localhost/admin/sidekiq/ http://localhost/-/speedscope/index.html"
)
end
end
end
end
...
@@ -123,7 +123,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
...
@@ -123,7 +123,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
end
end
it
'adds CUSTOMER_PORTAL_URL to CSP'
do
it
'adds CUSTOMER_PORTAL_URL to CSP'
do
expect
(
directives
[
'frame_src'
]).
to
eq
(
"https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com
http://localhost/rails/letter_opener/ https://customers.example.com http://localhost/admin/sidekiq http://localhost/admin/sidekiq/ http://localhost/-/speedscope/index.html"
)
expect
(
directives
[
'frame_src'
]).
to
eq
(
::
Gitlab
::
ContentSecurityPolicy
::
Directives
.
frame_src
+
"
http://localhost/rails/letter_opener/ https://customers.example.com http://localhost/admin/sidekiq http://localhost/admin/sidekiq/ http://localhost/-/speedscope/index.html"
)
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment