debian-mirror-gitlab/app/controllers/concerns/observability/content_security_policy.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

32 lines
1.1 KiB
Ruby
Raw Normal View History

2023-03-04 22:38:38 +05:30
# frozen_string_literal: true
module Observability
module ContentSecurityPolicy
extend ActiveSupport::Concern
included do
2023-03-17 16:20:25 +05:30
content_security_policy_with_context do |p|
current_group = if defined?(group)
group
else
defined?(project) ? project&.group : nil
end
2023-05-27 22:25:52 +05:30
next if p.directives.blank? || !Feature.enabled?(:observability_group_tab, current_group)
2023-03-04 22:38:38 +05:30
default_frame_src = p.directives['frame-src'] || p.directives['default-src']
# When ObservabilityUI is not authenticated, it needs to be able
# to redirect to the GL sign-in page, hence '/users/sign_in' and '/oauth/authorize'
2023-05-27 22:25:52 +05:30
frame_src_values = Array.wrap(default_frame_src) | [
Gitlab::Observability.observability_url,
Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/users/sign_in'),
Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/oauth/authorize')
]
2023-03-04 22:38:38 +05:30
p.frame_src(*frame_src_values)
end
end
end
end