Add latest changes from gitlab-org/security/gitlab@15-5-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-11-01 14:52:52 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-11-01 14:53:21 +0300
commit: b64b61bfe72c54fe4a7fdce34b2f1591e3822e5e (patch)
tree: c8d24132d4bd3c77a3c34a899c79f95756832b5e /lib
parent: 430576c997e7cfc61b003cf6dbf12817ef899eef (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 8648ffe5f49..f1faade250e 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -154,7 +154,7 @@ module Gitlab
       # Using 'self' in the CSP introduces several CSP bypass opportunities
       # for this reason we list the URLs where GitLab frames itself instead
       def self.allow_framed_gitlab_paths(directives)
-        ['/admin/', '/assets/', '/-/speedscope/index.html', '/-/sandbox/mermaid'].map do |path|
+        ['/admin/', '/assets/', '/-/speedscope/index.html', '/-/sandbox/'].map do |path|
           append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path))
         end
       end
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-11-01 14:52:52 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-11-01 14:53:21 +0300
commit	b64b61bfe72c54fe4a7fdce34b2f1591e3822e5e (patch)
tree	c8d24132d4bd3c77a3c34a899c79f95756832b5e /lib
parent	430576c997e7cfc61b003cf6dbf12817ef899eef (diff)