From a6d0ab4930b1ee0069d6bc4d61e7f35f6907a9e2 Mon Sep 17 00:00:00 2001
From: Connor Shea <connor.james.shea@gmail.com>
Date: Wed, 20 Jul 2016 12:09:02 -0600
Subject: [PATCH 1/2] Add CSP overrides for the import page.

---
 app/controllers/projects/imports_controller.rb |  5 +++++
 config/initializers/secure_headers.rb          | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/app/controllers/projects/imports_controller.rb b/app/controllers/projects/imports_controller.rb
index a1b84afcd917..6e9c5fd368cd 100644
--- a/app/controllers/projects/imports_controller.rb
+++ b/app/controllers/projects/imports_controller.rb
@@ -8,9 +8,12 @@ class Projects::ImportsController < Projects::ApplicationController
   before_action :redirect_if_no_import, only: :show
 
   def new
+    use_secure_headers_override(:import)
   end
 
   def create
+    use_secure_headers_override(:import)
+
     @project.import_url = params[:project][:import_url]
 
     if @project.save
@@ -28,6 +31,8 @@ def create
   end
 
   def show
+    use_secure_headers_override(:import)
+
     if @project.import_finished?
       if continue_params
         redirect_to continue_params[:to], notice: continue_params[:notice]
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 253e3cf74109..67bd0109ffc8 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -96,4 +96,22 @@
   if Gitlab.config.extra.has_key?('google_analytics_id')
     config.csp[:script_src] << "https://www.google-analytics.com"
   end
+
+
+  # Allow connecting accounts to Twitter, Google, GitLab.com, Bitbucket, and GitHub.
+  if Gitlab.config.omniauth.enabled
+    config.csp[:form_action] << "api.twitter.com"
+    config.csp[:form_action] << "accounts.google.com"
+    config.csp[:form_action] << "gitlab.com"
+    config.csp[:form_action] << "bitbucket.org"
+    config.csp[:form_action] << "github.com"
+  end
+end
+
+# Allow importing repositories from GitLab.com, GitHub, and Bitbucket.
+# Only applies to the import controller routes.
+SecureHeaders::Configuration.override(:import) do |config|
+  config.csp[:connect_src] << "gitlab.com"
+  config.csp[:connect_src] << "github.com"
+  config.csp[:connect_src] << "bitbucket.org"
 end
-- 
GitLab


From a637f1a70c2246111762e8d1da2eb3c8f9ef25e8 Mon Sep 17 00:00:00 2001
From: Connor Shea <connor.james.shea@gmail.com>
Date: Wed, 20 Jul 2016 13:30:13 -0600
Subject: [PATCH 2/2] Add Facebook login and appease Rubocop.

---
 config/initializers/secure_headers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 67bd0109ffc8..298e46c2df5a 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -97,7 +97,6 @@
     config.csp[:script_src] << "https://www.google-analytics.com"
   end
 
-
   # Allow connecting accounts to Twitter, Google, GitLab.com, Bitbucket, and GitHub.
   if Gitlab.config.omniauth.enabled
     config.csp[:form_action] << "api.twitter.com"
@@ -105,6 +104,7 @@
     config.csp[:form_action] << "gitlab.com"
     config.csp[:form_action] << "bitbucket.org"
     config.csp[:form_action] << "github.com"
+    config.csp[:form_action] << "facebook.com"
   end
 end
 
-- 
GitLab