Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/controllers/concerns/observability/content_security_policy.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/controllers/concerns/observability/content_security_policy.rb')
-rw-r--r--app/controllers/concerns/observability/content_security_policy.rb25
1 files changed, 25 insertions, 0 deletions
diff --git a/app/controllers/concerns/observability/content_security_policy.rb b/app/controllers/concerns/observability/content_security_policy.rb
new file mode 100644
index 00000000000..eccd1e1e3ef
--- /dev/null
+++ b/app/controllers/concerns/observability/content_security_policy.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Observability
+ module ContentSecurityPolicy
+ extend ActiveSupport::Concern
+
+ included do
+ content_security_policy do |p|
+ next if p.directives.blank? || Gitlab::Observability.observability_url.blank?
+
+ default_frame_src = p.directives['frame-src'] || p.directives['default-src']
+
+ # When ObservabilityUI is not authenticated, it needs to be able
+ # to redirect to the GL sign-in page, hence '/users/sign_in' and '/oauth/authorize'
+ frame_src_values = Array.wrap(default_frame_src) | [Gitlab::Observability.observability_url,
+ Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
+'/users/sign_in'),
+ Gitlab::Utils.append_path(Gitlab.config.gitlab.url,
+'/oauth/authorize')]
+
+ p.frame_src(*frame_src_values)
+ end
+ end
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-16 03:26:08 +0300