1 files changed, 26 insertions, 0 deletions

diff --git a/app/controllers/projects/blob_controller.rb b/app/controllers/projects/blob_controller.rb
index 4eda76f4f21..59cea00e26b 100644
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -239,6 +239,8 @@ class Projects::BlobController < Projects::ApplicationController
     @last_commit = @repository.last_commit_for_path(@commit.id, @blob.path, literal_pathspec: true)
     @code_navigation_path = Gitlab::CodeNavigationPath.new(@project, @blob.commit_id).full_json_path_for(@blob.path)
 
+    allow_lfs_direct_download
+
     render 'show'
   end
 
@@ -282,6 +284,30 @@ class Projects::BlobController < Projects::ApplicationController
   def visitor_id
     current_user&.id
   end
+
+  def allow_lfs_direct_download
+    return unless directly_downloading_lfs_object? && content_security_policy_enabled?
+    return unless (lfs_object = @project.lfs_objects.find_by_oid(@blob.lfs_oid))
+
+    request.content_security_policy.directives['connect-src'] ||= []
+    request.content_security_policy.directives['connect-src'] << lfs_src(lfs_object)
+  end
+
+  def directly_downloading_lfs_object?
+    Gitlab.config.lfs.enabled &&
+      !Gitlab.config.lfs.object_store.proxy_download &&
+      @blob&.stored_externally?
+  end
+
+  def content_security_policy_enabled?
+    Gitlab.config.gitlab.content_security_policy.enabled
+  end
+
+  def lfs_src(lfs_object)
+    file = lfs_object.file
+    file = file.cdn_enabled_url(request.remote_ip) if file.respond_to?(:cdn_enabled_url)
+    file.url
+  end
 end
 
 Projects::BlobController.prepend_mod