Allow OneTrust script in SAML group pages (!142583) · Merge requests · GitLab.org / GitLab

Eduardo Sanz García requested to merge eduardosanz/one-trust-csp into master Jan 23, 2024

What does this MR do and why?

Currently, the Cookie Preferences button in the SAML group pages is not displaying the cookie menu. This is caused by the following CORS problem:

Refused to connect to 'https://cdn.cookielaw.org/consent/7f944245-c5cd-4eed-a90e-dd955adfdd08/7f944245-c5cd-4eed-a90e-dd955adfdd08.json' because it violates the following Content Security Policy directive: "connect-src 'self' wss://gitlab.com https://sentry.gitlab.net https://new-sentry.gitlab.net https://collector.prd-278964.gl-product-analytics.com snowplow.trx.gitlab.net".

Adding the OneTrust content security policy header resolves the issue.

In addition, we set the preferred_language cookie so the language switcher doesn't crash.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screen_Recording_2024-01-23_at_18.34.39

How to set up and validate locally

To check the issue, open the web console in Chrome and go to https://gitlab.com/groups/gitlab-com/-/saml/sso

To see it working locally (like in the movie above), one needs to enable SAML.

Edited Jan 24, 2024 by Eduardo Sanz García

Allow OneTrust script in SAML group pages

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports