Push iframe feature flag to frontend based on project/group, and support asset proxy adjustments

Asherah Connorrequested to merge
push-tsywxrwnqrot into master

What does this MR do and why?

Push "allow <iframe>s in Markdown" feature flag to frontend based on project/group, not user! I missed this aspect of the existing code when I picked up Allow iframe embeds in markdown from allowed sr... (!200864 - merged) — when I accepted a suggestion to check the frontend feature flag, I didn't realise how that flag actually made it to the frontend.

It's now enabled by project and group in the respective controller base classes, as the render is cached per Markdown field -- it doesn't make sense to do this per user, and it stops us from meaningfully testing and evaluating it in production, as we'd have to enable both for the target project or group (for the backend render) and for the users (for the frontend). We add backend feature tests for the relevant scenarios to make sure we've covered them all.

I also noticed while evaluating this in gstg that the frontend code didn't allow correctly for the asset proxy filter's changes to what gets rendered. Oops. Turns out manually testing with asset proxy configured is not popular. This MR adds specs for the frontend transformation pass, checking how it operates on inputs produced both without and with the asset proxy.

References

How to set up and validate locally

  1. Check out the branch.
  2. In the Rails console, enable the allow_iframes_in_markdown feature flag for a particular Project or Group: 
    p = Project.find_by_full_path('test/project')
Feature.enable(:allow_iframes_in_markdown, p)
  3. Optionally, enable (or disable) the asset proxy. It doesn't need to be a real, functioning asset proxy, as we're not actually going to be looking at any assets through it! But it changes the rendered HTML in ways that are relevant to how the frontend then transforms it. 
    ApplicationSetting.first.update!(asset_proxy_enabled: true, asset_proxy_url: "https://asset-proxy.example", asset_proxy_secret_key: "hahaok")
    You'll need to gdk restart rails-web for changes to this setting to take effect.
  4. Enable the <iframe> embedding feature on the instance by navigating to Admin → Settings → General → Embedded content (try http://gdk.test:3000/admin/application_settings/general#js-iframe-settings), check the checkbox, and enter some domains. You can try: 
    embed.figma.com
www.figma.com
www.youtube.com
    It should look like this:
    image
  5. Create an issue within your chosen project (or e.g. epic within your chosen group) containing an embed URL in our embed syntax. You can try: 
    ![](https://www.youtube.com/embed/IxX_QHay02M)
  6. It should display successfully.

Please note that Markdown content is cached aggressively. If at first you don't succeed, you'll want to check that:

  • you're running the right code;
  • you've enabled the setting instance-wide (step 4 above), and you're using an embed URL with a domain that exactly matches one from there;
  • you aren't using youtube.com (you must use www.youtube.com, due to how its embeds redirect and our use of CSP);
  • you've enabled the feature flag for the project or group you're trying this on (step 2 above); and,
  • you've created or edited the Markdown content since checking out the code, as content from before checking it out will be cached with the old generated HTML.

If you do not succeed, check the browser's DevTools inspector to see what elements are in the DOM where the embed is inspected.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Asherah Connor

Merge request reports