Skip to content

Feature specs sometimes fail on content security policy error, when loading hot module reload script

There's an issue where feature specs sometimes fail because the hot module reloader address is not allowed by the CSP. This happens when the hostname is changed from localhost.

Example: gitlab#416661 (comment 1452117899)

In the test:

          JSConsoleError:
            Unexpected browser console output:
            webpack-internal:///AjYE 15 Refused to connect to 'ws://gdk.test:3001/_hmr/' because it violates the following Content Security Policy directive: "connect-src 'self' ws://localhost localhost".

and in the UI:

Uncaught runtime errors:

ERROR
Cannot read properties of null (reading 'addEventListener')
TypeError: Cannot read properties of null (reading 'addEventListener')

error_trace

Stack trace

Full example trace 
     1.2) Failure/Error: raise JSConsoleError, message

          JSConsoleError:
            Unexpected browser console output:
            webpack-internal:///AjYE 15 Refused to connect to 'ws://gdk.test:3001/_hmr/' because it violates the following Content Security Policy directive: "connect-src 'self' ws://localhost localhost".

            webpack-internal:///4BFc 130:13 Uncaught TypeError: Cannot read properties of null (reading 'addEventListener')
            webpack-internal:///1WDD 492:22 "[webpack-dev-server]" Event
          # ./spec/support/capybara.rb:220:in `block (2 levels) in <main>'
          # ./spec/spec_helper.rb:444:in `block (3 levels) in <top (required)>'
          # ./spec/support/sidekiq_middleware.rb:18:in `with_sidekiq_server_middleware'
          # ./spec/spec_helper.rb:435:in `block (2 levels) in <top (required)>'
          # ./spec/spec_helper.rb:431:in `block (3 levels) in <top (required)>'
          # ./lib/gitlab/application_context.rb:61:in `with_raw_context'
          # ./spec/spec_helper.rb:431:in `block (2 levels) in <top (required)>'
          # ./spec/spec_helper.rb:268:in `block (2 levels) in <top (required)>'
          # ./spec/support/system_exit_detected.rb:7:in `block (2 levels) in <main>'
          # ./spec/support/database/prevent_cross_joins.rb:106:in `block (3 levels) in <main>'
          # ./spec/support/database/prevent_cross_joins.rb:60:in `with_cross_joins_prevented'
          # ./spec/support/database/prevent_cross_joins.rb:106:in `block (2 levels) in <main>'

To reproduce

  1. Set up a hostname other than localhost in gdk.yml.
  2. Ensure that live_reload is not set to false.
  3. Run gdk reconfigure if required.
  4. Run bin/rspec ee/spec/features/projects/new_project_spec.rb:150 in the /gitlab directory.

Proposed solution

The content security policy comes from gitlab.yml.

Having this line pull the hostname field from gdk.yml might fix this issue permanently. Essentially replacing ws://localhost:* with ws://{hostname}:*.

Notes

I'm not sure why this only causes some specs to fail. This is probably worth investigating.

There's currently a workaround - disable the hot module reloader completely before running feature specs:

# gdk.yml
webpack:
  live_reload: false

Then run gdk reconfigure.

Edited by Tristan Read