From f923521a320fb37033308a3906e6468a043f871a Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Wed, 25 Jan 2017 12:09:55 -0700 Subject: [PATCH 1/8] Add CSP headers to GitLab. --- Gemfile | 3 + Gemfile.lock | 4 + config/initializers/secure_headers.rb | 109 ++++++++++++++++++++++++++ 3 files changed, 116 insertions(+) create mode 100644 config/initializers/secure_headers.rb diff --git a/Gemfile b/Gemfile index f54a1f500fd1..47c5a7a08bd7 100644 --- a/Gemfile +++ b/Gemfile @@ -364,3 +364,6 @@ gem 'sys-filesystem', '~> 1.1.6' gem 'gitaly', '~> 0.5.0' gem 'toml-rb', '~> 0.3.15', require: false + +# Secure headers for Content Security Policy +gem 'secure_headers', '~> 3.6' diff --git a/Gemfile.lock b/Gemfile.lock index b822a325861b..ffdc3f617aa5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -701,6 +701,8 @@ GEM scss_lint (0.47.1) rake (>= 0.9, < 11) sass (~> 3.4.15) + secure_headers (3.6.3) + useragent securecompare (1.0.0) seed-fu (2.3.6) activerecord (>= 3.1) @@ -811,6 +813,7 @@ GEM unicorn (>= 4, < 6) uniform_notifier (1.10.0) url_safe_base64 (0.2.2) + useragent (0.16.8) validates_hostname (1.0.6) activerecord (>= 3.0) activesupport (>= 3.0) @@ -999,6 +1002,7 @@ DEPENDENCIES sanitize (~> 2.0) sass-rails (~> 5.0.6) scss_lint (~> 0.47.0) + secure_headers (~> 3.6) seed-fu (~> 2.3.5) select2-rails (~> 3.5.9) sentry-raven (~> 2.4.0) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb new file mode 100644 index 000000000000..9fd24a667cc2 --- /dev/null +++ b/config/initializers/secure_headers.rb @@ -0,0 +1,109 @@ +# CSP headers have to have single quotes, so failures relating to quotes +# inside Ruby string arrays are irrelevant. +# rubocop:disable Lint/PercentStringArray +require 'gitlab/current_settings' +include Gitlab::CurrentSettings + +# If Sentry is enabled and the Rails app is running in production mode, +# this will construct the Report URI for Sentry. +if Rails.env.production? && current_application_settings.sentry_enabled + uri = URI.parse(current_application_settings.sentry_dsn) + CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}" +else + CSP_REPORT_URI = '' +end + +# Content Security Policy Headers +# For more information on CSP see: +# - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231 +# - https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives +SecureHeaders::Configuration.default do |config| + # Mark all cookies as "Secure", "HttpOnly", and "SameSite=Strict". + config.cookies = { + secure: true, + httponly: true, + samesite: { + strict: true + } + } + config.x_content_type_options = "nosniff" + config.x_xss_protection = "1; mode=block" + config.x_download_options = "noopen" + config.x_permitted_cross_domain_policies = "none" + config.referrer_policy = "origin-when-cross-origin" + config.csp = { + # "Meta" values. + report_only: true, + preserve_schemes: true, + + # "Directive" values. + # Default source allows nothing, more permissive values are set per-policy. + default_src: %w('none'), + # (Deprecated) Don't allow iframes. + frame_src: %w('none'), + # Only allow XMLHTTPRequests from the GitLab instance itself. + connect_src: %w('self'), + # Only load local fonts. + font_src: %w('self'), + # Load local images, any external image available over HTTPS. + img_src: %w(* 'self' data:), + # Audio and video can't be played on GitLab currently, so it's disabled. + media_src: %w('none'), + # Don't allow , , or elements. + object_src: %w('none'), + # Allow local scripts and inline scripts. + script_src: %w('unsafe-inline' 'unsafe-eval' 'self'), + # Allow local stylesheets and inline styles. + style_src: %w('unsafe-inline' 'self'), + # The URIs that a user agent may use as the document base URL. + base_uri: %w('self'), + # Only allow local iframes and service workers + child_src: %w('self'), + # Only submit form information to the GitLab instance. + form_action: %w('self'), + # Disallow any parents from embedding a page in an iframe. + frame_ancestors: %w('none'), + # Don't allow any plugins (Flash, Shockwave, etc.) + plugin_types: %w(), + # Blocks all mixed (HTTP) content. + block_all_mixed_content: true, + # Upgrades insecure requests to HTTPS when possible. + upgrade_insecure_requests: true + } + + # Reports are sent to Sentry if it's enabled. + if current_application_settings.sentry_enabled + config.csp[:report_uri] = %W(#{CSP_REPORT_URI}) + end + + # Allow Bootstrap Linter in development mode. + if Rails.env.development? + config.csp[:script_src] << "maxcdn.bootstrapcdn.com" + end + + # reCAPTCHA + if current_application_settings.recaptcha_enabled + config.csp[:script_src] << "https://www.google.com/recaptcha/" + config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" + config.csp[:frame_src] << "https://www.google.com/recaptcha/" + config.x_frame_options = "SAMEORIGIN" + end + + # Gravatar + if current_application_settings.gravatar_enabled? + config.csp[:img_src] << "www.gravatar.com" + config.csp[:img_src] << "secure.gravatar.com" + config.csp[:img_src] << Gitlab.config.gravatar.host + end + + # Piwik + if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id') + config.csp[:script_src] << Gitlab.config.extra.piwik_url + config.csp[:img_src] << Gitlab.config.extra.piwik_url + end + + # Google Analytics + if Gitlab.config.extra.has_key?('google_analytics_id') + config.csp[:script_src] << "https://www.google-analytics.com" + end +end -- GitLab From 7b098df00c38e83768a9cf4dbf9c441eb702f535 Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Wed, 25 Jan 2017 12:24:10 -0700 Subject: [PATCH 2/8] Disable blocking mixed content. --- Gemfile | 2 +- Gemfile.lock | 2 +- config/initializers/secure_headers.rb | 35 +++++++++++++-------------- 3 files changed, 19 insertions(+), 20 deletions(-) diff --git a/Gemfile b/Gemfile index 47c5a7a08bd7..348cacaee3c4 100644 --- a/Gemfile +++ b/Gemfile @@ -366,4 +366,4 @@ gem 'gitaly', '~> 0.5.0' gem 'toml-rb', '~> 0.3.15', require: false # Secure headers for Content Security Policy -gem 'secure_headers', '~> 3.6' +gem 'secure_headers', '~> 3.6.0' diff --git a/Gemfile.lock b/Gemfile.lock index ffdc3f617aa5..d2d2f0a554c1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1002,7 +1002,7 @@ DEPENDENCIES sanitize (~> 2.0) sass-rails (~> 5.0.6) scss_lint (~> 0.47.0) - secure_headers (~> 3.6) + secure_headers (~> 3.6.0) seed-fu (~> 2.3.5) select2-rails (~> 3.5.9) sentry-raven (~> 2.4.0) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 9fd24a667cc2..c371c5a2ac35 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -31,21 +31,20 @@ config.x_download_options = "noopen" config.x_permitted_cross_domain_policies = "none" config.referrer_policy = "origin-when-cross-origin" - config.csp = { + config.csp_report_only = { # "Meta" values. - report_only: true, preserve_schemes: true, # "Directive" values. # Default source allows nothing, more permissive values are set per-policy. default_src: %w('none'), # (Deprecated) Don't allow iframes. - frame_src: %w('none'), + frame_src: %w('self'), # Only allow XMLHTTPRequests from the GitLab instance itself. connect_src: %w('self'), # Only load local fonts. font_src: %w('self'), - # Load local images, any external image available over HTTPS. + # Load local images, any external image available over HTTP. img_src: %w(* 'self' data:), # Audio and video can't be played on GitLab currently, so it's disabled. media_src: %w('none'), @@ -62,48 +61,48 @@ # Only submit form information to the GitLab instance. form_action: %w('self'), # Disallow any parents from embedding a page in an iframe. - frame_ancestors: %w('none'), + frame_ancestors: %w('self'), # Don't allow any plugins (Flash, Shockwave, etc.) plugin_types: %w(), - # Blocks all mixed (HTTP) content. - block_all_mixed_content: true, + # Don't block mixed content. + block_all_mixed_content: false, # Upgrades insecure requests to HTTPS when possible. upgrade_insecure_requests: true } # Reports are sent to Sentry if it's enabled. if current_application_settings.sentry_enabled - config.csp[:report_uri] = %W(#{CSP_REPORT_URI}) + config.csp_report_only[:report_uri] = %W(#{CSP_REPORT_URI}) end # Allow Bootstrap Linter in development mode. if Rails.env.development? - config.csp[:script_src] << "maxcdn.bootstrapcdn.com" + config.csp_report_only[:script_src] << "maxcdn.bootstrapcdn.com" end # reCAPTCHA if current_application_settings.recaptcha_enabled - config.csp[:script_src] << "https://www.google.com/recaptcha/" - config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" - config.csp[:frame_src] << "https://www.google.com/recaptcha/" + config.csp_report_only[:script_src] << "https://www.google.com/recaptcha/" + config.csp_report_only[:script_src] << "https://www.gstatic.com/recaptcha/" + config.csp_report_only[:frame_src] << "https://www.google.com/recaptcha/" config.x_frame_options = "SAMEORIGIN" end # Gravatar if current_application_settings.gravatar_enabled? - config.csp[:img_src] << "www.gravatar.com" - config.csp[:img_src] << "secure.gravatar.com" - config.csp[:img_src] << Gitlab.config.gravatar.host + config.csp_report_only[:img_src] << "www.gravatar.com" + config.csp_report_only[:img_src] << "secure.gravatar.com" + config.csp_report_only[:img_src] << Gitlab.config.gravatar.host end # Piwik if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id') - config.csp[:script_src] << Gitlab.config.extra.piwik_url - config.csp[:img_src] << Gitlab.config.extra.piwik_url + config.csp_report_only[:script_src] << Gitlab.config.extra.piwik_url + config.csp_report_only[:img_src] << Gitlab.config.extra.piwik_url end # Google Analytics if Gitlab.config.extra.has_key?('google_analytics_id') - config.csp[:script_src] << "https://www.google-analytics.com" + config.csp_report_only[:script_src] << "https://www.google-analytics.com" end end -- GitLab From 5a685ebfb015a1d194c14009cd20456ab1baf031 Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Mon, 13 Feb 2017 16:17:13 -0700 Subject: [PATCH 3/8] Update secure_headers config to match what's currently used on GitLab.com. --- config/initializers/secure_headers.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index c371c5a2ac35..87afa044905e 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -26,11 +26,6 @@ strict: true } } - config.x_content_type_options = "nosniff" - config.x_xss_protection = "1; mode=block" - config.x_download_options = "noopen" - config.x_permitted_cross_domain_policies = "none" - config.referrer_policy = "origin-when-cross-origin" config.csp_report_only = { # "Meta" values. preserve_schemes: true, @@ -41,7 +36,7 @@ # (Deprecated) Don't allow iframes. frame_src: %w('self'), # Only allow XMLHTTPRequests from the GitLab instance itself. - connect_src: %w('self'), + connect_src: %w('self' 'wss://gitlab.com'), # Only load local fonts. font_src: %w('self'), # Load local images, any external image available over HTTP. @@ -85,7 +80,6 @@ config.csp_report_only[:script_src] << "https://www.google.com/recaptcha/" config.csp_report_only[:script_src] << "https://www.gstatic.com/recaptcha/" config.csp_report_only[:frame_src] << "https://www.google.com/recaptcha/" - config.x_frame_options = "SAMEORIGIN" end # Gravatar -- GitLab From eba49ae7fb84df14405bc51a247a16a2132772cd Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Mon, 13 Feb 2017 16:44:43 -0700 Subject: [PATCH 4/8] Update the config to match GitLab.com and fix a bunch of potential problems in development mode. --- config/initializers/secure_headers.rb | 37 +++++++++++++++++---------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 87afa044905e..91dcdf78c542 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -13,6 +13,10 @@ CSP_REPORT_URI = '' end +GITLAB_WS_URI = Gitlab.config.gitlab['url'].sub(%r{^https?:(//|\\\\)(www\.)?}i, '') +uri2 = URI.parse(Gitlab.config.gitlab['url']) +WEBPACK_CONNECT_URI = "#{uri.scheme}://#{uri.host}:3808}" + # Content Security Policy Headers # For more information on CSP see: # - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231 @@ -26,7 +30,7 @@ strict: true } } - config.csp_report_only = { + config.csp = { # "Meta" values. preserve_schemes: true, @@ -36,7 +40,8 @@ # (Deprecated) Don't allow iframes. frame_src: %w('self'), # Only allow XMLHTTPRequests from the GitLab instance itself. - connect_src: %w('self' 'wss://gitlab.com'), + # Only allow WebSockets connections from the GitLab instance itself. + connect_src: %W('self' "wss://#{GITLAB_WS_URI}"), # Only load local fonts. font_src: %w('self'), # Load local images, any external image available over HTTP. @@ -67,36 +72,40 @@ # Reports are sent to Sentry if it's enabled. if current_application_settings.sentry_enabled - config.csp_report_only[:report_uri] = %W(#{CSP_REPORT_URI}) + config.csp[:report_uri] = %W(#{CSP_REPORT_URI}) end - # Allow Bootstrap Linter in development mode. if Rails.env.development? - config.csp_report_only[:script_src] << "maxcdn.bootstrapcdn.com" + # Allow Bootstrap Linter in development mode. + config.csp[:script_src] << "maxcdn.bootstrapcdn.com" + # Disable upgrade_insecure_requests so we don't need an SSL cert in development. + config.csp[:upgrade_insecure_requests] = false + # Allow Webpack's dev server + config.csp[:connect_src] << "#{WEBPACK_CONNECT_URI}" end # reCAPTCHA if current_application_settings.recaptcha_enabled - config.csp_report_only[:script_src] << "https://www.google.com/recaptcha/" - config.csp_report_only[:script_src] << "https://www.gstatic.com/recaptcha/" - config.csp_report_only[:frame_src] << "https://www.google.com/recaptcha/" + config.csp[:script_src] << "https://www.google.com/recaptcha/" + config.csp[:script_src] << "https://www.gstatic.com/recaptcha/" + config.csp[:frame_src] << "https://www.google.com/recaptcha/" end # Gravatar if current_application_settings.gravatar_enabled? - config.csp_report_only[:img_src] << "www.gravatar.com" - config.csp_report_only[:img_src] << "secure.gravatar.com" - config.csp_report_only[:img_src] << Gitlab.config.gravatar.host + config.csp[:img_src] << "www.gravatar.com" + config.csp[:img_src] << "secure.gravatar.com" + config.csp[:img_src] << Gitlab.config.gravatar.host end # Piwik if Gitlab.config.extra.has_key?('piwik_url') && Gitlab.config.extra.has_key?('piwik_site_id') - config.csp_report_only[:script_src] << Gitlab.config.extra.piwik_url - config.csp_report_only[:img_src] << Gitlab.config.extra.piwik_url + config.csp[:script_src] << Gitlab.config.extra.piwik_url + config.csp[:img_src] << Gitlab.config.extra.piwik_url end # Google Analytics if Gitlab.config.extra.has_key?('google_analytics_id') - config.csp_report_only[:script_src] << "https://www.google-analytics.com" + config.csp[:script_src] << "https://www.google-analytics.com" end end -- GitLab From 418704214a78974e8b9471f320f76c9b88a1dc4a Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Mon, 13 Feb 2017 16:51:11 -0700 Subject: [PATCH 5/8] Fix a few more bugs with dev mode. --- config/initializers/secure_headers.rb | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 91dcdf78c542..07df3fdea7ca 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -13,9 +13,15 @@ CSP_REPORT_URI = '' end +# Get the GitLab URI without the scheme so it can have wss:// prepended. GITLAB_WS_URI = Gitlab.config.gitlab['url'].sub(%r{^https?:(//|\\\\)(www\.)?}i, '') -uri2 = URI.parse(Gitlab.config.gitlab['url']) -WEBPACK_CONNECT_URI = "#{uri.scheme}://#{uri.host}:3808}" + +# Determine current host, connect through port 3808 for Webpack. Development-only. +if Rails.env.development? + uri2 = URI.parse(Gitlab.config.gitlab['url']) + WEBPACK_CONNECT_URI = "#{uri2.scheme}://#{uri2.host}:3808" + WEBPACK_CONNECT_WS_URI = "ws://#{uri2.host}:3808" +end # Content Security Policy Headers # For more information on CSP see: @@ -82,6 +88,7 @@ config.csp[:upgrade_insecure_requests] = false # Allow Webpack's dev server config.csp[:connect_src] << "#{WEBPACK_CONNECT_URI}" + config.csp[:connect_src] << "#{WEBPACK_CONNECT_WS_URI}" end # reCAPTCHA -- GitLab From 4f28f86726c9b000c644d6fafb2a3cca13fbc3bc Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Mon, 13 Feb 2017 16:53:39 -0700 Subject: [PATCH 6/8] Clean up the code a bit. --- config/initializers/secure_headers.rb | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 07df3fdea7ca..fa060bb6c64f 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -16,13 +16,6 @@ # Get the GitLab URI without the scheme so it can have wss:// prepended. GITLAB_WS_URI = Gitlab.config.gitlab['url'].sub(%r{^https?:(//|\\\\)(www\.)?}i, '') -# Determine current host, connect through port 3808 for Webpack. Development-only. -if Rails.env.development? - uri2 = URI.parse(Gitlab.config.gitlab['url']) - WEBPACK_CONNECT_URI = "#{uri2.scheme}://#{uri2.host}:3808" - WEBPACK_CONNECT_WS_URI = "ws://#{uri2.host}:3808" -end - # Content Security Policy Headers # For more information on CSP see: # - https://gitlab.com/gitlab-org/gitlab-ce/issues/18231 @@ -87,6 +80,12 @@ # Disable upgrade_insecure_requests so we don't need an SSL cert in development. config.csp[:upgrade_insecure_requests] = false # Allow Webpack's dev server + + # Determine current host, connect through port 3808 for Webpack. + uri = URI.parse(Gitlab.config.gitlab['url']) + WEBPACK_CONNECT_URI = "#{uri.scheme}://#{uri.host}:3808" + WEBPACK_CONNECT_WS_URI = "ws://#{uri.host}:3808" + config.csp[:connect_src] << "#{WEBPACK_CONNECT_URI}" config.csp[:connect_src] << "#{WEBPACK_CONNECT_WS_URI}" end -- GitLab From 4c61fabdf9afeec9a8a43fe22196778eeb7ef8a4 Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Mon, 13 Feb 2017 17:01:06 -0700 Subject: [PATCH 7/8] Minor fixes. --- config/initializers/secure_headers.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index fa060bb6c64f..63da13cba0f0 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -79,13 +79,13 @@ config.csp[:script_src] << "maxcdn.bootstrapcdn.com" # Disable upgrade_insecure_requests so we don't need an SSL cert in development. config.csp[:upgrade_insecure_requests] = false - # Allow Webpack's dev server - + # Determine current host, connect through port 3808 for Webpack. uri = URI.parse(Gitlab.config.gitlab['url']) WEBPACK_CONNECT_URI = "#{uri.scheme}://#{uri.host}:3808" WEBPACK_CONNECT_WS_URI = "ws://#{uri.host}:3808" + # Allow Webpack's dev server config.csp[:connect_src] << "#{WEBPACK_CONNECT_URI}" config.csp[:connect_src] << "#{WEBPACK_CONNECT_WS_URI}" end -- GitLab From a9c4c5f43f8feaffc0eb123b45a0976802318d8b Mon Sep 17 00:00:00 2001 From: Connor Shea Date: Tue, 2 May 2017 17:01:10 -0600 Subject: [PATCH 8/8] Update secure_headers.rb with feedback. --- config/initializers/secure_headers.rb | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 63da13cba0f0..e8c427758035 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -8,13 +8,13 @@ # this will construct the Report URI for Sentry. if Rails.env.production? && current_application_settings.sentry_enabled uri = URI.parse(current_application_settings.sentry_dsn) - CSP_REPORT_URI = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}" + csp_report_uri = "#{uri.scheme}://#{uri.host}/api#{uri.path}/csp-report/?sentry_key=#{uri.user}" else - CSP_REPORT_URI = '' + csp_report_uri = '' end # Get the GitLab URI without the scheme so it can have wss:// prepended. -GITLAB_WS_URI = Gitlab.config.gitlab['url'].sub(%r{^https?:(//|\\\\)(www\.)?}i, '') +gitlab_ws_uri = Gitlab.config.gitlab['url'].sub(%r{^https?://(www\.)?}i, '') # Content Security Policy Headers # For more information on CSP see: @@ -23,10 +23,10 @@ SecureHeaders::Configuration.default do |config| # Mark all cookies as "Secure", "HttpOnly", and "SameSite=Strict". config.cookies = { - secure: true, + secure: Gitlab.config.gitlab.https, httponly: true, samesite: { - strict: true + lax: true } } config.csp = { @@ -40,7 +40,7 @@ frame_src: %w('self'), # Only allow XMLHTTPRequests from the GitLab instance itself. # Only allow WebSockets connections from the GitLab instance itself. - connect_src: %W('self' "wss://#{GITLAB_WS_URI}"), + connect_src: %W('self' wss://#{gitlab_ws_uri}), # Only load local fonts. font_src: %w('self'), # Load local images, any external image available over HTTP. @@ -71,7 +71,7 @@ # Reports are sent to Sentry if it's enabled. if current_application_settings.sentry_enabled - config.csp[:report_uri] = %W(#{CSP_REPORT_URI}) + config.csp[:report_uri] = %W(#{csp_report_uri}) end if Rails.env.development? @@ -82,12 +82,12 @@ # Determine current host, connect through port 3808 for Webpack. uri = URI.parse(Gitlab.config.gitlab['url']) - WEBPACK_CONNECT_URI = "#{uri.scheme}://#{uri.host}:3808" - WEBPACK_CONNECT_WS_URI = "ws://#{uri.host}:3808" + webpack_connect_uri = "#{uri.scheme}://#{uri.host}:3808" + webpack_connect_ws_uri = "ws://#{uri.host}:3808" # Allow Webpack's dev server - config.csp[:connect_src] << "#{WEBPACK_CONNECT_URI}" - config.csp[:connect_src] << "#{WEBPACK_CONNECT_WS_URI}" + config.csp[:connect_src] << webpack_connect_uri + config.csp[:connect_src] << webpack_connect_ws_uri end # reCAPTCHA -- GitLab