Merge branch 'chore/remove-blob-csp-headers' into 'master'

Remove generated CSP directive entries from Blob#show See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127060 Merged-by: Robert May <rmay@gitlab.com> Approved-by: Robert May <rmay@gitlab.com> Approved-by: Jerry Seto <jseto@gitlab.com> Reviewed-by: Joe Woodward <jwoodward@gitlab.com> Co-authored-by: Joe Woodward <jwoodward@gitlab.com>

Merge branch 'chore/remove-blob-csp-headers' into 'master'
96d2a85f · Robert May · 45536826 · a9c847cf · 96d2a85f · 45536826
--- a/app/controllers/projects/blob_controller.rb
+++ b/app/controllers/projects/blob_controller.rb
@@ -274,8 +274,6 @@ def show_html
    @last_commit = @repository.last_commit_for_path(@commit.id, @blob.path, literal_pathspec: true)
    @code_navigation_path = Gitlab::CodeNavigationPath.new(@project, @blob.commit_id).full_json_path_for(@blob.path)
-    allow_lfs_direct_download
    render 'show'
  end
@@ -320,30 +318,6 @@ def visitor_id
    current_user&.id
  end
-  def allow_lfs_direct_download
-    return unless directly_downloading_lfs_object? && content_security_policy_enabled?
-    return unless (lfs_object = @project.lfs_objects.find_by_oid(@blob.lfs_oid))
-    request.content_security_policy.directives['connect-src'] ||= []
-    request.content_security_policy.directives['connect-src'] << lfs_src(lfs_object)
-  end
-  def directly_downloading_lfs_object?
-    Gitlab.config.lfs.enabled &&
-      !Gitlab.config.lfs.object_store.proxy_download &&
-      @blob&.stored_externally?
-  end
-  def content_security_policy_enabled?
-    Gitlab.config.gitlab.content_security_policy.enabled
-  end
-  def lfs_src(lfs_object)
-    file = lfs_object.file
-    file = file.cdn_enabled_url(request.remote_ip) if file.respond_to?(:cdn_enabled_url)
-    file.url
-  end
  alias_method :tracking_project_source, :project
  def tracking_namespace_source

--- a/spec/requests/projects/blob_spec.rb
+++ b/spec/requests/projects/blob_spec.rb
-# frozen_string_literal: true
-require 'spec_helper'
-RSpec.describe 'Blobs', feature_category: :source_code_management do
-  let_it_be(:project) { create(:project, :public, :repository, lfs: true) }
-  describe 'GET /:namespace_id/:project_id/-/blob/:id' do
-    subject(:request) do
-      get namespace_project_blob_path(namespace_id: project.namespace, project_id: project, id: id)
-    end
-    context 'with LFS file' do
-      let(:id) { 'master/files/lfs/lfs_object.iso' }
-      let(:object_store_host) { 'http://127.0.0.1:9000' }
-      let(:connect_src) do
-        csp = response.headers['Content-Security-Policy']
-        csp.split('; ').find { |src| src.starts_with?('connect-src') }
-      end
-      let(:gitlab_config) do
-        Gitlab.config.gitlab.deep_merge(
-          'content_security_policy' => {
-            'enabled' => content_security_policy_enabled
-          }
-        )
-      end
-      let(:lfs_config) do
-        Gitlab.config.lfs.deep_merge(
-          'enabled' => lfs_enabled,
-          'object_store' => {
-            'remote_directory' => 'lfs-objects',
-            'enabled' => true,
-            'proxy_download' => proxy_download,
-            'connection' => {
-              'endpoint' => object_store_host,
-              'path_style' => true
-            }
-          }
-        )
-      end
-      before do
-        stub_config_setting(gitlab_config)
-        stub_lfs_setting(lfs_config)
-        stub_lfs_object_storage(proxy_download: proxy_download)
-        request
-      end
-      describe 'directly downloading lfs file' do
-        let(:lfs_enabled) { true }
-        let(:proxy_download) { false }
-        let(:content_security_policy_enabled) { true }
-        it { expect(response).to have_gitlab_http_status(:success) }
-        it { expect(connect_src).to include(object_store_host) }
-        context 'when lfs is disabled' do
-          let(:lfs_enabled) { false }
-          it { expect(response).to have_gitlab_http_status(:success) }
-          it { expect(connect_src).not_to include(object_store_host) }
-        end
-        context 'when content_security_policy is disabled' do
-          let(:content_security_policy_enabled) { false }
-          it { expect(response).to have_gitlab_http_status(:success) }
-          it { expect(connect_src).not_to include(object_store_host) }
-        end
-        context 'when proxy download is enabled' do
-          let(:proxy_download) { true }
-          it { expect(response).to have_gitlab_http_status(:success) }
-          it { expect(connect_src).not_to include(object_store_host) }
-        end
-      end
-    end
-  end
-end