diff options
Diffstat (limited to 'app/controllers/concerns/observability/content_security_policy.rb')
-rw-r--r-- | app/controllers/concerns/observability/content_security_policy.rb | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/app/controllers/concerns/observability/content_security_policy.rb b/app/controllers/concerns/observability/content_security_policy.rb new file mode 100644 index 00000000000..eccd1e1e3ef --- /dev/null +++ b/app/controllers/concerns/observability/content_security_policy.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +module Observability + module ContentSecurityPolicy + extend ActiveSupport::Concern + + included do + content_security_policy do |p| + next if p.directives.blank? || Gitlab::Observability.observability_url.blank? + + default_frame_src = p.directives['frame-src'] || p.directives['default-src'] + + # When ObservabilityUI is not authenticated, it needs to be able + # to redirect to the GL sign-in page, hence '/users/sign_in' and '/oauth/authorize' + frame_src_values = Array.wrap(default_frame_src) | [Gitlab::Observability.observability_url, + Gitlab::Utils.append_path(Gitlab.config.gitlab.url, +'/users/sign_in'), + Gitlab::Utils.append_path(Gitlab.config.gitlab.url, +'/oauth/authorize')] + + p.frame_src(*frame_src_values) + end + end + end +end |