diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-01 00:10:33 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-01 00:10:33 +0300 |
commit | 16d8ebae46866ffe7135c3e4b931001b846441f4 (patch) | |
tree | d4b2ea6c76fe3bebeef68d85e0553e8de1f552e4 /lib | |
parent | 99f37f7ebdeb0e7b7493d9f6294086cc90778304 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/content_security_policy/config_loader.rb | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb index 50490d1b5a3..87bc2ace204 100644 --- a/lib/gitlab/content_security_policy/config_loader.rb +++ b/lib/gitlab/content_security_policy/config_loader.rb @@ -147,10 +147,7 @@ module Gitlab # Using 'self' in the CSP introduces several CSP bypass opportunities # for this reason we list the URLs where GitLab frames itself instead def self.allow_framed_gitlab_paths(directives) - # We need the version without trailing / for the sidekiq page itself - # and we also need the version with trailing / for "deeper" pages - # like /admin/sidekiq/busy - ['/admin/sidekiq', '/admin/sidekiq/', '/-/speedscope/index.html'].map do |path| + ['/admin/', '/assets/', '/-/speedscope/index.html'].map do |path| append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path)) end end |