CSP violation problems with canary enabled
Observed during the 2018-07-24 failover attempt:
Remy noticed that with the gitlab_canary
cookie set to true
, we get CSP issues for assets, if you set it to false
it goes away.
Loading failed for the <script> with source “https://gl-staging.global.ssl.fastly.net/assets/webpack/runtime.7424e5fb.bundle.js”. help:32
Loading failed for the <script> with source “https://gl-staging.global.ssl.fastly.net/assets/webpack/main.5ab70142.chunk.js”. help:33
Loading failed for the <script> with source “https://gl-staging.global.ssl.fastly.net/assets/webpack/raven.3c09a53c.chunk.js”. help:34
Loading failed for the <script> with source “https://gl-staging.global.ssl.fastly.net/assets/webpack/pages.help.index.0c2f5f3b.chunk.js”. help:35
Content Security Policy: The page’s settings blocked the loading of a resource at https://gl-staging.global.ssl.fastly.net/assets/application-565000dc4886e53b51b6409cbdf794636da759435e3eb6bf91481577b5cd2936.css (“style-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://gl-staging.global.ssl.fastly.net/assets/print-c8ff536271f8974b8a9a5f75c0ca25d2b8c1dceb4cff3c01d1603862a0bdcbfc.css (“style-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://gl-staging.global.ssl.fastly.net/assets/webpack/runtime.7424e5fb.bundle.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://gl-staging.global.ssl.fastly.net/assets/webpack/main.5ab70142.chunk.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://gl-staging.global.ssl.fastly.net/assets/webpack/raven.3c09a53c.chunk.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://gl-staging.global.ssl.fastly.net/assets/webpack/pages.help.index.0c2f5f3b.chunk.js (“script-src”).
Presumably this will break presentation and basic functionality of GitLab when the canary is enabled. We should resolve it prior to the failover, or instruct everyone to disable the canary at failover time.