delta/gitlab/gitlab-ce.git/config/initializers, branch lib-differences gitlab.com: gitlab-org/gitlab-ce.git Merge branch 'sh-support-csp-nonce' into 'master' 2019-08-07T05:03:05+00:00 Ash McKenzie amckenzie@gitlab.com 2019-08-07T05:03:05+00:00 6cafa7002738f33c212b9f72d9b0f66b386c6faf Add support for Content-Security-Policy Closes #65330 See merge request gitlab-org/gitlab-ce!31402 
Add support for Content-Security-Policy

Closes #65330

See merge request gitlab-org/gitlab-ce!31402
 Add support for Content-Security-Policy 2019-08-07T02:37:31+00:00 Stan Hu stanhu@gmail.com 2019-08-06T06:14:32+00:00 5fbbd3dd6e965f76ecf1767373bddd236a78a4be A nonce-based Content-Security-Policy thwarts XSS attacks by allowing inline JavaScript to execute if the script nonce matches the header value. Rails 5.2 supports nonce-based Content-Security-Policy headers, so provide configuration to enable this and make it work. To support this, we need to change all `:javascript` HAML filters to the following form: ``` = javascript_tag nonce: true do :plain ... ``` We use `%script` throughout our HAML to store JSON and other text, but since this doesn't execute, browsers don't appear to block this content from being used and require the nonce value to be present. 
A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.

To support this, we need to change all `:javascript` HAML filters to the
following form:

```
= javascript_tag nonce: true do
  :plain
    ...
```

We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.
Remove GC metrics from performance bar 2019-08-06T19:42:46+00:00 Sean McGivern sean@gitlab.com 2019-08-06T18:05:47+00:00 66963aad70abba7a87512070047244eefefeb563 These were disabled in production mode, but that also broke the rest of the performance bar. As they were only enabled in development mode, we can just remove them for now. 
These were disabled in production mode, but that also broke the rest of
the performance bar. As they were only enabled in development mode, we
can just remove them for now.
Revert "Merge branch 'backport-fix-remaining-prepend-lines' into 'master'" 2019-08-05T04:02:08+00:00 Mark Lapierre mlapierre@gitlab.com 2019-08-05T04:02:08+00:00 8ff68917b8b78dbf34785bda370692ac8b97c414 This reverts merge request !31379 
This reverts merge request !31379
 Merge branch 'backport-fix-remaining-prepend-lines' into 'master' 2019-08-02T16:25:30+00:00 Robert Speicher rspeicher@gmail.com 2019-08-02T16:25:30+00:00 8374dd565d44e5f97c179dcb4cf03c7d3ea69363 Support X_if_ee methods for QA tests See merge request gitlab-org/gitlab-ce!31379 
Support X_if_ee methods for QA tests

See merge request gitlab-org/gitlab-ce!31379
 Call `GC::Profiler.clear` only in one place 2019-08-02T09:04:32+00:00 Aleksei Lipniagov alipniagov@gitlab.com 2019-08-02T09:04:32+00:00 1f9edb7c4a393a6ebe78e6f98e46515ad655cece Previously, both InfluxSampler and RubySampler were relying on the `GC::Profiler.total_time` data which is the sum over the list of captured GC events. Also, both samplers asynchronously called `GC::Profiler.clear` which led to incorrect metric data because each sampler has the wrong assumption it is the only object who calls `GC::Profiler.clear` and thus could rely on the gathered results between such calls. We should ensure that `GC::Profiler.total_time` is called only in one place making it possible to rely on accumulated data between such wipes. Also, we need to track the amount of profiler reports we lost. 
Previously, both InfluxSampler and RubySampler were relying on the
`GC::Profiler.total_time` data which is the sum over the list
of captured GC events. Also, both samplers asynchronously called
`GC::Profiler.clear` which led to incorrect metric data because
each sampler has the wrong assumption it is the only object who calls
`GC::Profiler.clear` and thus could rely on the gathered results between
such calls.

We should ensure that `GC::Profiler.total_time` is called only in one
place making it possible to rely on accumulated data between such wipes.

Also, we need to track the amount of profiler reports we lost.
Backport of https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3809 2019-08-01T17:38:07+00:00 Valery Sizov valery@gitlab.com 2019-08-01T12:03:08+00:00 f519a4b72f81a1e3c81e5e684d236bbe30e0dd2d Introducing Docker Registry replication 
Introducing Docker Registry replication
Support X_if_ee methods for QA tests 2019-08-01T14:10:05+00:00 Yorick Peterse yorickpeterse@gmail.com 2019-08-01T12:41:37+00:00 27194e08525fa2ef43aa9f3dbfda378a7b1258bd For the QA tests to use the new injection methods, we must require the initializer and ensure that the "constantize" method is available. 
For the QA tests to use the new injection methods, we must require the
initializer and ensure that the "constantize" method is available.
Add methods for injecting EE modules 2019-07-30T12:52:54+00:00 Yorick Peterse yorickpeterse@gmail.com 2019-07-23T14:51:13+00:00 916183a7fd63f772a8493c9ac782b465503f9d13 This adds the methods prepend_if_ee, extend_if_ee, and include_if_ee that can be used to inject EE specific modules in EE. These methods are exposed as an initializer that is loaded as soon as possible. For tests that use fast_spec_helper.rb we must load this initializer manually, as the Rails environment is not loaded. This is not the most pretty setup, but unfortunately there is no alternative that we can use. 
This adds the methods prepend_if_ee, extend_if_ee, and include_if_ee
that can be used to inject EE specific modules in EE.

These methods are exposed as an initializer that is loaded as soon as
possible. For tests that use fast_spec_helper.rb we must load this
initializer manually, as the Rails environment is not loaded. This is
not the most pretty setup, but unfortunately there is no alternative
that we can use.
Remove line profiler from performance bar 2019-07-30T09:00:52+00:00 Sean McGivern sean@gitlab.com 2019-07-24T11:37:05+00:00 18cdc5ba6ce1810c19982475eca89fd385fe31e2 1. The output isn't great. It can be hard to find hotspots and, even when you do find them, to find why those are hotspots. 2. It uses some jQuery-specific frontend code which we can remove now that we don't have this any more. 3. It's only possible to profile the initial request, not any subsequent AJAX requests. 
1. The output isn't great. It can be hard to find hotspots and, even
   when you do find them, to find why those are hotspots.
2. It uses some jQuery-specific frontend code which we can remove now
   that we don't have this any more.
3. It's only possible to profile the initial request, not any subsequent
   AJAX requests.