Skip to content

Support custom domains in Jira Connect CSP frame-ancestors

Anton Smithrequested to merge
feature/jira-custom-domains-csp into master

What does this MR do and why?

On GitLab.com, we have enabled CSP which prevents the GitLab for Jira Cloud app from being installed on custom Jira domains.

Currently, app/controllers/jira_connect/subscriptions_controller.rb#L4 adds the following hostnames to the CSP:

ALLOWED_IFRAME_ANCESTORS = [:self, 'https://*.atlassian.net', 'https://*.jira.com'].freeze

However, a custom Jira domain could be anything.

This MR does the following:

  1. When a user installs the GitLab for Jira Cloud app, it sends a payload back to JiraConnect::EventsController. This payload includes displayUrl, which is the Jira custom domain. We store displayUrl as a new property in JiraConnectInstallation#display_url.
    • Previously, we only stored the baseUrl, which will always be *.atlassian.net, even if the Jira Cloud instance has a custom domain.
  2. When JiraConnect::SubscriptionsController is called from within the GitLab for Jira Cloud app, we can check if JiraConnectInstallation#display_url differs from JiraConnectInstallation#base_url - if it does, add display_url to the iframe ancestors in the CSP.

References

Screenshots or screen recordings

Before After
See video in #498734 (closed) video1749660006

How to set up and validate locally

To test this you will need:

  • A Jira Cloud workspace on a Premium plan, and with a custom domain configured. You can sign up for a Premium trial.
  • GitLab running in Gitpod, as GitLab needs to be publicly available to the internet.

  1. Switch to the feature/jira-custom-domains-csp branch.

  2. In GDK, enable CSP and gdk reconfigure

    development:
  gitlab:
     content_security_policy: true

  3. Follow these sections under the https://docs.gitlab.com/development/integrations/jira_connect/#set-up-with-jira page:

    • Setting up Gitpod
    • Install the app in Jira
    • Set up the GitLab OAuth authentication flow

  4. Next, while following the Set up the app in Jira under https://docs.gitlab.com/development/integrations/jira_connect/#set-up-with-jira:

    • Ensure that the browser developer tools is open
    • You should see a network request to https://<GITPOD_DOMAIN>/-/jira_connect/subscriptions
    • Take a look at the Content-Security-Policyresponse header - you should see your custom Jira domain included in the value
    • Feel free to complete the app setup process - you should be able to follow all the steps in https://docs.gitlab.com/integration/jira/connect-app/#configure-the-gitlab-for-jira-cloud-app and setup a group link. If we get this far, then everything works!

  5. Switch to the master branch

  6. Open a new tab, and follow the Set up the app in Jira under https://docs.gitlab.com/development/integrations/jira_connect/#set-up-with-jira section again.

    • Ensure that the browser developer tools is open
    • You should see a network request to https://<GITPOD_DOMAIN>/-/jira_connect/subscriptions
    • Take a look at the Content-Security-Policyresponse header - the custom Jira domain should be missing
    • You should see an error in the console about the iframe ancestors not matching up (as per #498734 (closed))
    • Eventually, the page will time out with an error

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Anton Smith

Merge request reports