summaryrefslogtreecommitdiff
path: root/app/controllers/concerns/observability/content_security_policy.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/controllers/concerns/observability/content_security_policy.rb')
-rw-r--r--app/controllers/concerns/observability/content_security_policy.rb21
1 files changed, 21 insertions, 0 deletions
diff --git a/app/controllers/concerns/observability/content_security_policy.rb b/app/controllers/concerns/observability/content_security_policy.rb
new file mode 100644
index 00000000000..2721907f218
--- /dev/null
+++ b/app/controllers/concerns/observability/content_security_policy.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Observability
+ module ContentSecurityPolicy
+ extend ActiveSupport::Concern
+
+ included do
+ content_security_policy do |p|
+ next if p.directives.blank? || Gitlab::Observability.observability_url.blank?
+
+ default_frame_src = p.directives['frame-src'] || p.directives['default-src']
+
+ # When ObservabilityUI is not authenticated, it needs to be able
+ # to redirect to the GL sign-in page, hence 'self'
+ frame_src_values = Array.wrap(default_frame_src) | [Gitlab::Observability.observability_url, "'self'"]
+
+ p.frame_src(*frame_src_values)
+ end
+ end
+ end
+end