[EE] Add support for Content-Security-Policy (!14975) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-support-csp-nonce-ee into master Aug 02, 2019

A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work.

To support this, we need to change all :javascript HAML filters to the following form:

= javascript_tag nonce: true do
  :plain
    ...

We use %script throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value there.

CE port: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31402

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/65330

Edited Aug 02, 2019 by Stan Hu

[EE] Add support for Content-Security-Policy

Merge request reports