Add latest changes from gitlab-org/gitlab@16-3-stable-ee

2 files changed, 19 insertions, 1 deletions

diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 9fb3c7d362f..59a4e425b85 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -84,7 +84,7 @@ module Gitlab
         end
 
         def allow_lfs(directives)
-          return unless Gitlab.config.lfs.enabled && LfsObjectUploader.direct_download_enabled?
+          return unless Gitlab.config.lfs.enabled && LfsObjectUploader.object_store_enabled? && LfsObjectUploader.direct_download_enabled?
 
           lfs_url = build_lfs_url
           return unless lfs_url.present?
diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
index dd633820ad9..6d24ced138e 100644
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -205,6 +205,24 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader, feature_category: :s
       context 'when LFS is enabled' do
         let(:lfs_enabled) { true }
 
+        context 'and object storage is not in use' do
+          let(:lfs_config) do
+            {
+              enabled: false,
+              remote_directory: 'lfs-objects',
+              connection: {},
+              direct_upload: false,
+              proxy_download: true,
+              storage_options: {}
+            }
+          end
+
+          it 'is expected to be skipped' do
+            expect(described_class.send(:allow_lfs, directives)).to be_nil
+            expect(connect_src).not_to include('lfs-objects')
+          end
+        end
+
         context 'and direct downloads are enabled' do
           let(:provider) { LfsObjectUploader.object_store_options.connection.provider }