(canary) Creating Kubernetes Cluster - cannot fetch Google project billing status
Summary
When creating a new Kubernetes Cluster, and I select a project from the "Google Cloud Platform project" field, the request to Google is blocked by CSP.
Steps to reproduce
- Turn on canary with by setting the
gitlab_canary
cookie - Go to Operations, Kubernetes
- Select "Create new Cluster on GKE"
- select any project from the "Google Cloud Platform project" field
Example Project
https://gitlab.com/tkuah/test_rails/clusters/new
What is the current bug behavior?
The "Google Cloud Platform project" field is stuck on "Validating project billing status" and cannot be selected anymore.
What is the expected correct behavior?
We successfully validate the project billing status, and the field shows the GCP project that was selected by the user.
Relevant logs and/or screenshots
Console shows the following error :
Refused to frame 'https://content-cloudbilling.googleapis.com/' because it violates the following Content Security Policy directive: "frame-src 'self' https://www.google.com/recaptcha/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com".
With gitlab_canary
, I receive the following header for https://gitlab.com/tkuah/test_rails/clusters/new :
Content-Security-Policy: object-src 'none'; worker-src https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net https://gitlab.com blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://apis.google.com; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/ https://content.googleapis.com https://content-cloudresourcemanager.googleapis.com; frame-ancestors 'self'; connect-src 'self' https://assets.gitlab-static.net https://gl-canary.global.ssl.fastly.net wss://gitlab.com https://sentry.gitlap.com https://customers.gitlab.com; report-uri https://sentry-infra.gitlap.com/api/3/csp-report/?sentry_key=a664fdde83424b43a991f25fa7c78987
Without gitlab_canary
:
Content-Security-Policy: object-src 'none'; worker-src https://assets.gitlab-static.net https://gitlab.com blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://assets.gitlab-static.net https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://apis.google.com; style-src 'self' 'unsafe-inline' https://assets.gitlab-static.net; img-src * data: blob:; frame-src 'self' https://www.google.com/recaptcha/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com; frame-ancestors 'self'; connect-src 'self' https://assets.gitlab-static.net wss://gitlab.com https://sentry.gitlap.com https://customers.gitlab.com; report-uri https://sentry-infra.gitlap.com/api/3/csp-report/?sentry_key=a664fdde83424b43a991f25fa7c78987
So somehow, the canary servers are missing https://content-cloudbilling.googleapis.com
from the CSP header
Output of checks
This bug happens on GitLab.com
Possible fixes
Add the above src to the frame-src
CSP directive.