Improve Web IDE security popup messaging for air-gapped environments

Release notes

Improved Web IDE user experience in air-gapped environments by clarifying security popup messaging when extension marketplace is already disabled.

Problem to solve

In air-gapped GitLab environments where the extension marketplace is already disabled at both instance and user levels, the Web IDE displays a security warning popup that states:

"Web view and the extension marketplace were disabled for security reasons. The web side requires HTTPs and extension extension host to isolate 3rd party code"

This popup creates confusion because:

1. Misleading security implication: The message suggests there's an active security issue, when this is actually expected and secure behaviour for air-gapped environments
2. Redundant warning: The extension marketplace is already intentionally disabled via admin settings and user preferences
3. Poor user experience: Users must click "Don't Show Again" on what appears to be a security warning, which feels counterintuitive from a security perspective
4. Inconsistent with design intent: Air-gapped deployments are a supported use case, but the messaging treats this as an error condition

This issue affects banking and other high-security organisations that operate GitLab in air-gapped environments and have strict security requirements.

Proposal

Option 1: Remove the popup entirely when marketplace is pre-disabled

• Detect when extension marketplace is disabled at both instance and user levels
• Skip showing the security popup in these cases since it's intentionally configured

Option 2: Improve the popup messaging

• Change the wording to clarify this is expected behavior, not a security issue
• Example: "Extension marketplace and web views are disabled in this air-gapped environment. This is working as designed for security."
• Use informational styling instead of warning/error styling

Option 3: Add admin setting to control popup

• Provide an admin setting to disable this popup entirely
• Useful for organizations that have intentionally configured air-gapped deployments

Recommended approach: Implement Option 1 as the primary solution, with Option 3 as a fallback admin control.

Intended users

• System Administrators managing GitLab in air-gapped environments
• Developers using Web IDE in banking, government, and other high-security organizations
• Security teams who need to ensure users aren't dismissing legitimate security warnings

Feature Usage Metrics

• Track instances where the popup would have been shown but was suppressed due to pre-disabled marketplace
• Monitor admin setting usage (if Option 3 is implemented)
• Measure reduction in user confusion/support tickets related to this popup

Does this feature require an audit event?

No, this feature does not require an audit event as it only affects UI messaging and does not change any security controls or access permissions. The underlying security behavior (disabling marketplace in air-gapped environments) remains unchanged.