From 272c39ac05e0d68444114aed58ef2b44e1af30d6 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 27 Sep 2023 00:10:14 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 app/controllers/acme_challenges_controller.rb |  4 +---
 app/controllers/application_controller.rb     |  2 +-
 app/controllers/base_action_controller.rb     | 31 +++++++++++++++++++++++++++
 app/controllers/chaos_controller.rb           |  4 +---
 app/controllers/health_controller.rb          |  4 +---
 app/controllers/metrics_controller.rb         |  4 +---
 6 files changed, 36 insertions(+), 13 deletions(-)
 create mode 100644 app/controllers/base_action_controller.rb

(limited to 'app/controllers')

diff --git a/app/controllers/acme_challenges_controller.rb b/app/controllers/acme_challenges_controller.rb
index 4a7706db94e..a187e43b3df 100644
--- a/app/controllers/acme_challenges_controller.rb
+++ b/app/controllers/acme_challenges_controller.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
-# rubocop:disable Rails/ApplicationController
-class AcmeChallengesController < ActionController::Base
+class AcmeChallengesController < BaseActionController
   def show
     if acme_order
       render plain: acme_order.challenge_file_content, content_type: 'text/plain'
@@ -16,4 +15,3 @@ class AcmeChallengesController < ActionController::Base
     @acme_order ||= PagesDomainAcmeOrder.find_by_domain_and_token(params[:domain], params[:token])
   end
 end
-# rubocop:enable Rails/ApplicationController
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 7c69f43fa3d..bfd3388da1b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,7 +3,7 @@
 require 'gon'
 require 'fogbugz'
 
-class ApplicationController < ActionController::Base
+class ApplicationController < BaseActionController
   include Gitlab::GonHelper
   include Gitlab::NoCacheHeaders
   include GitlabRoutingHelper
diff --git a/app/controllers/base_action_controller.rb b/app/controllers/base_action_controller.rb
new file mode 100644
index 00000000000..af2c9e98778
--- /dev/null
+++ b/app/controllers/base_action_controller.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+# GitLab lightweight base action controller
+#
+# This class should be limited to content that
+# is desired/required for *all* controllers in
+# GitLab.
+#
+# Most controllers inherit from `ApplicationController`.
+# Some controllers don't want or need all of that
+# logic and instead inherit from `ActionController::Base`.
+# This makes it difficult to set security headers and
+# handle other critical logic across *all* controllers.
+#
+# Between this controller and `ApplicationController`
+# no controller should ever inherit directly from
+# `ActionController::Base`
+#
+# rubocop:disable Rails/ApplicationController
+# rubocop:disable Gitlab/NamespacedClass
+class BaseActionController < ActionController::Base
+  before_action :security_headers
+
+  private
+
+  def security_headers
+    headers['Cross-Origin-Opener-Policy'] = 'same-origin' if ::Feature.enabled?(:coop_header)
+  end
+end
+# rubocop:enable Gitlab/NamespacedClass
+# rubocop:enable Rails/ApplicationController
diff --git a/app/controllers/chaos_controller.rb b/app/controllers/chaos_controller.rb
index 7328b793b09..b61a8c5ff12 100644
--- a/app/controllers/chaos_controller.rb
+++ b/app/controllers/chaos_controller.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
-# rubocop:disable Rails/ApplicationController
-class ChaosController < ActionController::Base
+class ChaosController < BaseActionController
   before_action :validate_chaos_secret, unless: :development_or_test?
 
   def leakmem
@@ -95,4 +94,3 @@ class ChaosController < ActionController::Base
     Rails.env.development? || Rails.env.test?
   end
 end
-# rubocop:enable Rails/ApplicationController
diff --git a/app/controllers/health_controller.rb b/app/controllers/health_controller.rb
index 1381999ab4c..2b2db2f950c 100644
--- a/app/controllers/health_controller.rb
+++ b/app/controllers/health_controller.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
-# rubocop:disable Rails/ApplicationController
-class HealthController < ActionController::Base
+class HealthController < BaseActionController
   protect_from_forgery with: :exception, prepend: true
   include RequiresAllowlistedMonitoringClient
 
@@ -40,4 +39,3 @@ class HealthController < ActionController::Base
     render json: result.json, status: result.http_status
   end
 end
-# rubocop:enable Rails/ApplicationController
diff --git a/app/controllers/metrics_controller.rb b/app/controllers/metrics_controller.rb
index 9f41c092fa0..61851fd1c60 100644
--- a/app/controllers/metrics_controller.rb
+++ b/app/controllers/metrics_controller.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
-# rubocop:disable Rails/ApplicationController
-class MetricsController < ActionController::Base
+class MetricsController < BaseActionController
   include RequiresAllowlistedMonitoringClient
 
   protect_from_forgery with: :exception, prepend: true
@@ -36,4 +35,3 @@ class MetricsController < ActionController::Base
     )
   end
 end
-# rubocop:enable Rails/ApplicationController
-- 
cgit v1.2.3