Add latest changes from gitlab-org/gitlab@14-4-stable-eev14.4.0-rc42

1 files changed, 20 insertions, 0 deletions

diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index bdcedd1896d..0e3fa8b8d87 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -35,6 +35,10 @@ module Gitlab
         # However Safari seems to read child-src first so we'll just keep both equal
         directives['child_src'] = directives['frame_src']
 
+        # connect_src with 'self' includes https/wss variations of the origin,
+        # however, safari hasn't covered this yet and we need to explicitly add
+        # support for websocket origins until Safari catches up with the specs
+        allow_websocket_connections(directives)
         allow_webpack_dev_server(directives) if Rails.env.development?
         allow_cdn(directives, Settings.gitlab.cdn_host) if Settings.gitlab.cdn_host.present?
         allow_customersdot(directives) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?
@@ -67,6 +71,22 @@ module Gitlab
         arguments.strip.split(' ').map(&:strip)
       end
 
+      def self.allow_websocket_connections(directives)
+        http_ports = [80, 443]
+        host = Gitlab.config.gitlab.host
+        port = Gitlab.config.gitlab.port
+        secure = Gitlab.config.gitlab.https
+        protocol = secure ? 'wss' : 'ws'
+
+        ws_url = "#{protocol}://#{host}"
+
+        unless http_ports.include?(port)
+          ws_url = "#{ws_url}:#{port}"
+        end
+
+        append_to_directive(directives, 'connect_src', ws_url)
+      end
+
       def self.allow_webpack_dev_server(directives)
         secure = Settings.webpack.dev_server['https']
         host_and_port = "#{Settings.webpack.dev_server['host']}:#{Settings.webpack.dev_server['port']}"