Skip to content

Block outgoing Chrome connections in Capybara tests

Stan Hu requested to merge sh-block-chrome-outbound into master

What does this MR do and why?

https://www.chromium.org/developers/design-documents/network-settings describes that it's possible to use the --proxy-server and --proxy-bypass-list. We use this feature to block external network access but still allow local access to the network. This prevents specs from testing against GitLab.com and accessing external resources.

While testing this, it appears that Chrome was quite often accessing Gravatar for user avatars. We will probably want a way to disable this feature outright, but Gravatar requests will now fail, rendering them blank in feature specs.

Relates to #386091 (closed)

How to set up and validate locally

  1. Revert !107292 (merged) in spec/features/projects_spec.rb:
diff --git a/spec/features/projects_spec.rb b/spec/features/projects_spec.rb
index ec0b3f9d81b6..701dcebb0f30 100644
--- a/spec/features/projects_spec.rb
+++ b/spec/features/projects_spec.rb
@@ -327,9 +327,9 @@
     end

     it 'has working links to submodules' do
-      submodule = find_link('645f6c4c')
+      click_link('645f6c4c')

-      expect(submodule[:href]).to eq('https://gitlab.com/gitlab-org/gitlab-grack/-/tree/645f6c4c82fd3f5e06f67134450a570b795e55a6')
+      expect(page).to have_selector('.ref-selector', text: '645f6c4c82fd3f5e06f67134450a570b795e55a6')
     end

     context 'for signed commit on default branch', :js do
  1. Hard-code the proxy port in this branch:
diff --git a/spec/support/capybara.rb b/spec/support/capybara.rb
index 632366ef2ea4..ff322f3b206b 100644
--- a/spec/support/capybara.rb
+++ b/spec/support/capybara.rb
@@ -85,7 +85,7 @@
 
   # Generate a random port to blackhole all external traffic
   tcp_server = TCPServer.new('127.0.0.1', 0)
-  options.add_argument("--proxy-server=http://127.0.0.1:#{tcp_server.addr[1]}")
+  options.add_argument("--proxy-server=http://127.0.0.1:9999")
   options.add_argument("--proxy-bypass-list=127.0.0.1,localhost,#{Gitlab.config.gitlab.host}")
 
   Capybara::Selenium::Driver.new(

  1. Listen on that port: nc -k -l 9999

  2. Run the test: bundle exec rspec spec/features/projects_spec.rb:329

  3. The test should fail with a blank Capybara screenshot, and the nc output should show an attempt to contact GitLab.com via a proxy:

% nc -k -l 9999
CONNECT gitlab.com:443 HTTP/1.1
Host: gitlab.com:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/108.0.5359.124 Safari/537.36

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports