Enable Content-Security-Policy by default
Follow up from https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/31402:
We want to enable this by default, but we'd have to be very careful because it could break a number of setups because:
- In development mode, the ports will vary depending on your Webpack ports (e.g. 3808 vs 3809), Workhorse ports (e.g. 3000, 3001) etc.
- In test mode, CI calls to
execute_scriptmay be blocked by CSP rules (see https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/14975#note_200390099). Not sure how to get around this at the moment: there may be a way to disable CSP just for specific tests that need this.
- We have to account for CDN hostnames and other external URL/ports that customers might use.
A few years ago
@connorshea attempted to enable report-only CSP that we rolled back:
We should use some of these rules to build the list dynamically.