Skip to content

Detect CORS issues in the Web IDE

Enrique Alcántararequested to merge
558790-detect-cors-restrictions-for-web-ide into master

Issue: Web IDE: Duplicate ```Access-Control-Allow-Orig... (#558790 - closed)

What does this MR do and why?

It updates the Web IDE package with an enhancement in the pingWorkbench function to detect with the Extension Host origin cdn.web-ide.gitlab-static.net can send cross-origin requests to the Gitlab instance or it's restricted by CORS policies. If it's not possible, the Web IDE falls back to a limited version that disables the Extension Marketplace for security reasons.

why We have received several customer reports where the Web IDE stops working completely when assets hosted in the cdn.web-ide.gitlab-static.net origin attempts to make an HTTP request to the GitLab instance's REST API but the GitLab instance has custom CORS rules that restrict the origins allowed to reach the REST API's endpoints. This Merge Request attempts to provide a solution that doesn't require user intervention by automatically detecting CORS issues and falling back to single-domain mode if needed.

context pingWorkbench detects if the user's web browser can send HTTP requests to the external HTTP server (cdn.web-ide.gitlab-static.net) hosting the VSCode workbench assets. Administrators can block access to the external assets host using a proxy. If the user's web browser can't reach the external assets host, the Web IDE loads the VSCode workbench assets from the GitLab instance's static assets and disables the Extension Marketplace for security reasons.

Documentation changes

This Merge Request also updates the Web IDE's troubleshooting documentation to add a section that explains the CORS policy configuration expected by the Web IDE. It also explains that the Web IDE works on a limited capacity on air-gapped instances.

References

Screenshots or screen recordings

The user will see a warning message indicating that some features in the Web IDE are disabled for security reasons due to the lack of an external origin to run 3rd-party code. The user can permanently dismiss this message.

single-domain-mode.png

How to set up and validate locally

  1. Run the command git checkout 558790-detect-cors-restrictions-for-web-ide branch.

  2. Run the command yarn install.

  3. Apply the patch:

    diff --git a/config/application.rb b/config/application.rb
index a1667dea3ce5..f117ece1c147 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -454,7 +454,7 @@ class Application < Rails::Application
 
       # Cross-origin requests must not have the session cookie available
       allow do
-        origins '*'
+        origins Gitlab.config.gitlab.url
         resource '/api/*',
           credentials: false,
           headers: :any,

  4. Run the command gdk restart rails.

  5. Open the Web IDE.

  6. You should see the warning message demonstrated in the screenshot above.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Enrique Alcántara

Merge request reports