Allow frontend to access LFS file storage URL
What does this MR do and why?
Allow frontend to access LFS file storage URL
When loading the blob page the blob controller inserts the connect_src values for the files that are displayed on the requested page.
When VueJS navigates to the blob page content security policy from the tree page will still be active, meaning the download request for the file will be blocked by the content security policy as the connect_src directive doesn't include the storage url.
Now we check if lfs storage is enabled and proxy download is turned off during initialization. If they both are true we add the storage url to the global content security policy.
Changelog: fixed
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Configure LFS with
proxy_download: false - Restart gitlab server
- Load any page and view the response headers
Content-Security-Policy.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.