Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
id
go-sso
Commits
81b8bd24
Commit
81b8bd24
authored
May 04, 2020
by
ale
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Stricter Content-Security-Policy headers
Adds the 'base-uri', 'form-action' and 'frame-ancestors' properties.
parent
72bb1ac7
Pipeline
#6705
passed with stages
in 2 minutes and 53 seconds
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
2 additions
and
2 deletions
+2
-2
server/http.go
server/http.go
+2
-2
No files found.
server/http.go
View file @
81b8bd24
...
...
@@ -30,11 +30,11 @@ import (
)
// A relatively strict CSP.
const
contentSecurityPolicy
=
"default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self';"
const
contentSecurityPolicy
=
"default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self';
frame-ancestors 'none'; form-action 'self'; base-uri 'none';
"
// Slightly looser CSP for the logout page: it needs to load remote
// images.
const
logoutContentSecurityPolicy
=
"default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *;"
const
logoutContentSecurityPolicy
=
"default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *;
frame-ancestors 'none'; form-action 'self'; base-uri 'none';
"
// Returns the URL of the login handler on the target service.
func
serviceLoginCallback
(
service
,
destination
,
token
string
)
string
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment