Set KAS connect-src CSP on demand (!115226) · Merge requests · GitLab.org / GitLab

Timo Furrer requested to merge kas-cookie-concern into master Mar 20, 2023

What does this MR do and why?

In Add user access functionality for KAS (!104504 - merged) we've introduced a connect-src directive for the KAS subdomain (in case it is on a subdomain) globally. However, this is not really necessary and an on-demand approach is preferred.

on-demand meaning that a controller can include the KasCookie concern to configure the correct CSP so that the KAS cookie can actually be used. The KAS cookie doesn't make any sense without the CSP config, so it naturally makes sense for it to be part of the KasCookie concern.

Screenshots or screen recordings

Page with a controller that includes the KasCookie concern:

Page that doesn't include the KasCookie concern:

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Setup KAS
Setup agentk
Enable KAS User Access Feature flags
- [Feature flag] Clean up `kas_user_access` (#391201 - closed)
- [Feature flag] Clean up `kas_user_access_project` (#391211 - closed)
Browse to the cluster / agent page to check CSP

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Set KAS connect-src CSP on demand

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports