Skip to content

Add Zuora Content Security Policy to GitLab.com

Angelo Gulina requested to merge ag/387497-error-in-content-security-policy-when-attempting-to-load-zuora-credit-card-validation into master

What does this MR do and why?

Describe in detail what your merge request does and why.

With this change, we aim to introduce an additional URL to the CSP to allow the Zuora (Hosted Payment Page) to load via iframe. This relates to #387497 (closed). Please see the discussion here for more info.

No behaviour should change (but the related bug should be fixed ).

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

This requires both gdk and CustomersDot running (installation steps here).

  • Setup the HPM in Zuora Api Sandbox, you have two ways:
    1. create an HPM similar to this: https://apisandbox.zuora.com/apps/HostedPageLite.do?method=preview&id=8ad099157fd495bf017fdadbab7e6959 – for URL/host, use your gdk host
    2. just use mine 😇 (but please, do not change the configuration) – it assumes you run gdk on http://localhost:3000
  • copy the id of the page (mine is 8ad099157fd495bf017fdadbab7e6959)
  • go to secrets.yml in CustomersDot and use it for zuora_payment_method_validation_page_id in development settings (if not there, add it manually)
  • (restart CustomersDot)
  • go to the gdk rails console and type Feature.enable(:ci_require_credit_card_on_free_plan)

Then:

  1. Create a new account (or use an account which doesn't have a Credit Card added yet)
  2. Create a group and a project under the group
  3. Under the project, go to Settings > CI/CD -> Expand Runners section
  4. Toggle shared runners off and then on => An alert asking to validate the account should appear
  5. Click on Validate button
  6. You should see the Payment form to validate the Credit Card (see screenshot)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #387497 (closed)

Edited by Angelo Gulina

Merge request reports