Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-01 00:10:33 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-01 00:10:33 +0300
commit: 16d8ebae46866ffe7135c3e4b931001b846441f4 (patch)
tree: d4b2ea6c76fe3bebeef68d85e0553e8de1f552e4 /lib
parent: 99f37f7ebdeb0e7b7493d9f6294086cc90778304 (diff)
1 files changed, 1 insertions, 4 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 50490d1b5a3..87bc2ace204 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -147,10 +147,7 @@ module Gitlab
       # Using 'self' in the CSP introduces several CSP bypass opportunities
       # for this reason we list the URLs where GitLab frames itself instead
       def self.allow_framed_gitlab_paths(directives)
-        # We need the version without trailing / for the sidekiq page itself
-        # and we also need the version with trailing / for "deeper" pages
-        # like /admin/sidekiq/busy
-        ['/admin/sidekiq', '/admin/sidekiq/', '/-/speedscope/index.html'].map do |path|
+        ['/admin/', '/assets/', '/-/speedscope/index.html'].map do |path|
           append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path))
         end
       end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-01 00:10:33 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-01 00:10:33 +0300
commit	16d8ebae46866ffe7135c3e4b931001b846441f4 (patch)
tree	d4b2ea6c76fe3bebeef68d85e0553e8de1f552e4 /lib
parent	99f37f7ebdeb0e7b7493d9f6294086cc90778304 (diff)