Add latest changes from gitlab-org/gitlab@14-7-stable-eev14.7.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-01-20 12:16:11 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-01-20 12:16:11 +0300
commit: edaa33dee2ff2f7ea3fac488d41558eb5f86d68c (patch)
tree: 11f143effbfeba52329fb7afbd05e6e2a3790241 /lib/gitlab/content_security_policy
parent: d8a5691316400a0f7ec4f83832698f1988eb27c1 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 87bc2ace204..78ba0916808 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -147,7 +147,7 @@ module Gitlab
       # Using 'self' in the CSP introduces several CSP bypass opportunities
       # for this reason we list the URLs where GitLab frames itself instead
       def self.allow_framed_gitlab_paths(directives)
-        ['/admin/', '/assets/', '/-/speedscope/index.html'].map do |path|
+        ['/admin/', '/assets/', '/-/speedscope/index.html', '/-/sandbox/mermaid'].map do |path|
           append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path))
         end
       end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-01-20 12:16:11 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-01-20 12:16:11 +0300
commit	edaa33dee2ff2f7ea3fac488d41558eb5f86d68c (patch)
tree	11f143effbfeba52329fb7afbd05e6e2a3790241 /lib/gitlab/content_security_policy
parent	d8a5691316400a0f7ec4f83832698f1988eb27c1 (diff)