After upgrading to 5.7.0 Mermaid flowcharts fail to load due to connection refused
Summary
After I've updated GitLab to the latest version mermaid charts fail to load because the X-Frame-Options is set to deny.
Steps to reproduce
Upgraded to chart version 5.7.0 and looked at a wiki page with an embedded mermaid chart. This chart fails to load due to chrome blocking it.
Configuration used
global:
edition: ce
## doc/charts/globals.md#configure-appconfig-settings
## Rails based portions of this chart share many settings
appConfig:
## doc/charts/globals.md#general-application-settings
contentSecurityPolicy:
enabled: false
report_only: false
I've also tried:
global:
edition: ce
## doc/charts/globals.md#configure-appconfig-settings
## Rails based portions of this chart share many settings
appConfig:
contentSecurityPolicy:
enabled: true
report_only: false
directives:
default_src: "'self'"
script_src: "'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com"
frame_ancestor: "'self'"
frame_src: "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
img_src: "* data: blob:"
style_src: "'self' 'unsafe-inline'"
but alas, this also didn't fix the issue. The content-security-policy
header is correctly set, but the x-frame-options appears to have a higher priority to deny the frame than the CSP.
Current behavior
The X-Frame-Options
is set to 'deny', resulting in a chrome error stating that the server refused to connect to the client.
Expected behavior
The Mermaid chart should properly load.
Versions
- Chart: 5.7.0
- Platform:
- Cloud: GKE
- Kubernetes: (
kubectl version
)- Client: 1.23.3
- Server: 1.21.5-gke.1802
- Helm: (
helm version
)- Client: 3.8.0
- Server: n.a.
Relevant logs
Refused to display 'https://gitlab.<hostname>/' in a frame because it set 'X-Frame-Options' to 'deny'.
Workaround
By setting the following configuration:
global:
ingress:
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_clear_headers "X-Frame-Options";
I was able to load the file, but clearing the X-Frame-Options header doesn't seem to be the correct solution.