Add option to disable request forgery protection of action cable

config/initializers/action_cable.rb

@@ -8,6 +8,11 @@
   config.action_cable.url = Gitlab::Utils.append_path(Gitlab.config.gitlab.relative_url_root, '/-/cable')
   config.action_cable.worker_pool_size = Gitlab::ActionCable::Config.worker_pool_size
   config.action_cable.allowed_request_origins = [Gitlab.config.gitlab.url] if Rails.env.development? || Rails.env.test?
+  if Rails.env.development? || Rails.env.test?
+    config.action_cable.disable_request_forgery_protection = Gitlab::Utils.to_boolean(
+      ENV.fetch('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', false)
+    )
+  end
 end
 
 ActionCable::SubscriptionAdapter::Base.prepend(Gitlab::Patch::ActionCableSubscriptionAdapterIdentifier)

spec/initializers/action_cable_spec.rb

@@ -47,6 +47,7 @@
 
   describe 'config' do
     before do
+      stub_env('ACTION_CABLE_DISABLE_REQUEST_FORGERY_PROTECTION', disable_request_forgery_protection.to_s)
       stub_rails_env(rails_env) if rails_env
       stub_config_setting(relative_url_root: '/gitlab/root', url: 'example.com', https: true)
 
@@ -62,6 +63,7 @@
     end
 
     let(:rails_env) { nil }
+    let(:disable_request_forgery_protection) { false }
 
     subject(:config) { Rails.application.config.action_cable }
 
@@ -104,5 +106,28 @@
         it { is_expected.to eq(nil) }
       end
     end
+
+    describe 'disable_request_forgery_protection' do
+      subject { config.disable_request_forgery_protection }
+
+      context 'when in test' do
+        let(:rails_env) { 'test' }
+
+        it { is_expected.to eq(false) }
+      end
+
+      context 'when in development' do
+        let(:rails_env) { 'development' }
+        let(:disable_request_forgery_protection) { true }
+
+        it { is_expected.to eq(true) }
+      end
+
+      context 'when in production' do
+        let(:rails_env) { 'production' }
+
+        it { is_expected.to eq(nil) }
+      end
+    end
   end
 end