Module: WebIdeCSP

Extended by:

ActiveSupport::Concern

Included in:

IdeController

Defined in:

app/controllers/concerns/web_ide_csp.rb

Instance Method Summary

• #include_web_ide_csp ⇒ Object

  We want to include frames from /assets/webpack of the request’s host to support URL flexibility with the Web IDE.

Instance Method Details

#include_web_ide_csp ⇒ Object

We want to include frames from /assets/webpack of the request’s host to support URL flexibility with the Web IDE. gitlab.com/gitlab-org/gitlab/-/merge_requests/118875

# File 'app/controllers/concerns/web_ide_csp.rb', line 13

def include_web_ide_csp
  return if request.content_security_policy.directives.blank?

  base_uri = URI(request.url)
  base_uri.path = ::Gitlab.config.gitlab.relative_url_root || '/'
  # note: `.path +=` handles combining trailing and leading slashes (e.g. `x/` and `/foo`)
  base_uri.path += '/assets/webpack/'
  # note: this fixes a browser console warning where CSP included query params
  base_uri.query = nil
  webpack_url = base_uri.to_s

  default_src = Array(request.content_security_policy.directives['default-src'] || [])
  request.content_security_policy.directives['frame-src'] ||= default_src
  request.content_security_policy.directives['frame-src'].concat([webpack_url, "https://*.#{WebIde::ExtensionMarketplace.extension_host_domain}/",
    ide_oauth_redirect_url, oauth_authorization_url])

  request.content_security_policy.directives['worker-src'] ||= default_src
  request.content_security_policy.directives['worker-src'].concat([webpack_url])
end