Merge branch '337033-jira-connect-csp-domains' into 'master'

Include *.jira.com in Jira Connect CSP frame ancestors

See merge request gitlab-org/gitlab!84967

app/controllers/jira_connect/subscriptions_controller.rb

@@ -11,7 +11,9 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
     style_src_values = Array.wrap(p.directives['style-src']) | %w('self' 'unsafe-inline')
     # rubocop: enable Lint/PercentStringArray
 
-    p.frame_ancestors :self, 'https://*.atlassian.net'
+    # *.jira.com is needed for some legacy Jira Cloud instances, new ones will use *.atlassian.net
+    # https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/
+    p.frame_ancestors :self, 'https://*.atlassian.net', 'https://*.jira.com'
     p.script_src(*script_src_values)
     p.style_src(*style_src_values)
   end

spec/features/jira_connect/subscriptions_spec.rb

@@ -36,7 +36,7 @@ RSpec.describe 'Subscriptions Content Security Policy' do
     it 'appends to CSP directives' do
       visit jira_connect_subscriptions_path(jwt: jwt)
 
-      is_expected.to include("frame-ancestors 'self' https://*.atlassian.net")
+      is_expected.to include("frame-ancestors 'self' https://*.atlassian.net https://*.jira.com")
       is_expected.to include("script-src 'self' https://some-cdn.test https://connect-cdn.atl-paas.net")
       is_expected.to include("style-src 'self' https://some-cdn.test 'unsafe-inline'")
     end