Improve inline embedding URL handling
What does this MR do and why?
We currently allow the user to embed GitLab Observability UI in the markdown editor by expanding any observe.gitlab.com
links. We want to now remove support for observe.gitlab.com
and allow inline embedding only through GitLab URL, e.g. https://gitlab.com/groups/gitlab-org/opstrace/-/observability/explore
.
We also want to restrict inline embedding to the explore
and goto
path, as we don't want the user to be able to inline embed any Observability URL.
As part of this change, I've also included some changes that tackles a reported security vulnerability (https://gitlab.com/gitlab-org/security/gitlab/-/issues/821+).
- Support embedding GOUI by sharing GitLab URL (gitlab-org/opstrace/opstrace-ui#246 - closed)
- Match sharable GOUI urls only (gitlab-org/opstrace/opstrace-ui#153 - closed)
- https://gitlab.com/gitlab-org/security/gitlab/-/issues/821+
Screenshots or screen recordings
How to set up and validate locally
- Enable Observability feature flag
Feature.enable(:observability_group_tab)
- Open a markdown editor ( e.g. issue description or comment )
- Insert an observability link e.g.
https://local.gitlab.com/groups/flightjs/-/observability/explore?observability_path=/explore
- See the observability iframe being rendered ( might show a "Not Found" warning, depending on how local GOUI is configured )
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.