Test stricter frame-src CSP directive
I'm evaluating if removing self
from the frame-src
directive is going to break anything. Can you test that on your standalone instance and see if you get any violation reports?
I ran all QA tests with that change in gitlab-org/gitlab!61159 (closed) and it's green
You'd need to change from
'frame_src' => "'self'",
to
'frame_src' => "/-/speedscope/index.html",
The speedscope thing is used in the "performance bar" from my understanding.
Let me know if you can test that and what are the results!