Use tracing external_url for frame_src csp

ee/app/controllers/projects/tracings_controller.rb

@@ -4,7 +4,9 @@ class Projects::TracingsController < Projects::ApplicationController
   content_security_policy do |p|
     next if p.directives.blank?
 
-    p.frame_src("*")
+    global_frame_src = p.frame_src
+
+    p.frame_src -> { frame_src_csp_policy(global_frame_src) }
   end
 
   before_action :check_license
@@ -18,4 +20,10 @@ class Projects::TracingsController < Projects::ApplicationController
   def check_license
     render_404 unless @project.feature_available?(:tracing, current_user)
   end
+
+  def frame_src_csp_policy(global_frame_src)
+    external_url = @project&.tracing_setting&.external_url
+
+    external_url.presence || global_frame_src
+  end
 end

ee/spec/features/projects/tracings_spec.rb

@@ -31,7 +31,7 @@ describe 'Tracings Content Security Policy' do
   context 'when a global CSP config exists' do
     before do
       csp = ActionDispatch::ContentSecurityPolicy.new do |p|
-        p.frame_src :self, 'https://should-get-overwritten.com'
+        p.frame_src 'https://global-policy.com'
       end
 
       expect_next_instance_of(Projects::TracingsController) do |controller|
@@ -39,10 +39,22 @@ describe 'Tracings Content Security Policy' do
       end
     end
 
-    it 'overwrites frame-src' do
-      visit project_tracing_path(project)
+    context 'when external_url is set' do
+      let!(:project_tracing_setting) { create(:project_tracing_setting, project: project) }
+
+      it 'overwrites frame-src' do
+        visit project_tracing_path(project)
 
-      is_expected.to eq("frame-src *")
+        is_expected.to eq("frame-src https://example.com")
+      end
+    end
+
+    context 'when external_url is not set' do
+      it 'uses global policy' do
+        visit project_tracing_path(project)
+
+        is_expected.to eq("frame-src https://global-policy.com")
+      end
     end
   end
 end