debian-mirror-gitlab/config/initializers/content_security_policy.rb

22 lines
1 KiB
Ruby
Raw Normal View History

2019-10-12 21:52:04 +05:30
# frozen_string_literal: true
csp_settings = Settings.gitlab.content_security_policy
2021-10-27 15:23:28 +05:30
csp_settings['enabled'] = Gitlab::ContentSecurityPolicy::ConfigLoader.default_enabled if csp_settings['enabled'].nil?
csp_settings['report_only'] = false if csp_settings['report_only'].nil?
csp_settings['directives'] ||= {}
2019-10-12 21:52:04 +05:30
if csp_settings['enabled']
2021-10-27 15:23:28 +05:30
csp_settings['directives'] = ::Gitlab::ContentSecurityPolicy::ConfigLoader.default_directives if csp_settings['directives'].empty?
2019-10-12 21:52:04 +05:30
# See https://guides.rubyonrails.org/security.html#content-security-policy
Rails.application.config.content_security_policy do |policy|
2021-10-27 15:23:28 +05:30
loader = ::Gitlab::ContentSecurityPolicy::ConfigLoader.new(csp_settings['directives'].to_h)
2019-10-12 21:52:04 +05:30
loader.load(policy)
end
Rails.application.config.content_security_policy_report_only = csp_settings['report_only']
Rails.application.config.content_security_policy_nonce_generator = ->(request) { SecureRandom.base64(16) }
2020-03-13 15:44:24 +05:30
Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
2019-10-12 21:52:04 +05:30
end