Make static website CSP more permissive (!1319) · Merge requests · GitLab.org / GitLab Docs

Dominic Couture requested to merge csp-new-domains into master Nov 16, 2020

Following !1312 (merged) and some testing I decided to make it more permissive.

This doesn't provide the best security admittedly but the documentation website is a static website with no user sessions. The numerous marketing third-parties make it very difficult to have an allowlist of domain names because they load many dynamic dependencies that we can't really predict. This is a problem that a nonce and strict-dynamic solves, but we can't use that on a static website.

Fixes #850

Edited Nov 16, 2020 by Dominic Couture

Make static website CSP more permissive

Merge request reports