Explicitly name origin in Mermaid sandbox CSP

Asherah Connorrequested to merge
push-mqvtnoxpztls into master

What does this MR do and why?

Explicitly name origin in Mermaid sandbox CSP

See #601981 (closed); this fixes a Safari-specific issue.

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. Run a production copy of GitLab. This margin is a bit too small to fit the full instructions, but I documented a way to do with this Kind for an unrelated task at gitlab-org/charts/gitlab!5029 (comment 3357811276) under the subheading "Verify Rails sees the config". No need to hack a custom values file together. Here's an example helm upgrade --install gitlab invocation assuming you've prepared the cluster:

    helm upgrade --install gitlab . \
  --namespace gitlab \
  --timeout 900s \
  -f .values/dev-external.values.yaml \
  -f examples/kind/values-base.yaml \
  -f examples/kind/values-no-ssl.yaml \
  --set global.hosts.domain=charts-dev.test \
  --set global.hosts.gitlab.name=charts-dev.test \
  --set certmanager-issuer.email=test@example.com

    This assumes you have set charts-dev.test to resolve to 127.0.0.1.

  2. You'll need to set root's password to log in.

    kubectl exec -it -n gitlab deployment/gitlab-toolbox -c toolbox -- gitlab-rails console
    gitlab(prod)> u = User.first
=> #<User id:1 @root>
gitlab(prod)> u.password = 'your top secret password'
=> "your top secret password"
gitlab(prod)> u.password_confirmation = 'your top secret password'
=> "your top secret password"
gitlab(prod)> u.save!
=> true

  3. Forward the webservice port (leave this running):

    sudo kubectl port-forward -n gitlab svc/gitlab-webservice-default 80:8181

    If the webservice pod isn't ready yet, wait and retry. It might take 5 to 10 minutes.

    Using sudo to put it on port 80 is yucky, but there appears to be no way to configure Gitlab.config.gitlab.port through the Helm charts, so the application always assumes that it's on port 80 when accessed via plain HTTP; this becomes part of the CSP, so testing using a non-matching port will not work.

  4. Using Safari, log in, create a project, and go create a work item with the following content:

    ```mermaid
packet
title UDP Packet
+16: "Source Port"
+16: "Destination Port"
32-47: "Length"
48-63: "Checksum"
64-95: "Data (variable length)"
```

  5. It should render as the "Before" image above, and the console should have similar errors shown there.

  6. Update your cluster to use the latest CNG images built from this branch. These SHAs are accurate as of writing (see https://gitlab.com/gitlab-org/gitlab/-/jobs/14983425523#L240):

    REG=registry.gitlab.com/gitlab-org/build/cng-mirror \
  helm upgrade --install gitlab . \
  --namespace gitlab \
  --timeout 900s \
  -f .values/dev-external.values.yaml \
  -f examples/kind/values-base.yaml \
  -f examples/kind/values-no-ssl.yaml \
  --set global.hosts.domain=charts-dev.test \
  --set global.hosts.gitlab.name=charts-dev.test \
  --set certmanager-issuer.email=test@example.com \
  --set gitlab.webservice.image.repository=$REG/gitlab-webservice-ee \
  --set gitlab.webservice.image.tag=58f066e4bb4abc1f4502440c4414c21cf11acc0e \
  --set gitlab.webservice.workhorse.image=$REG/gitlab-workhorse-ee \
  --set gitlab.webservice.workhorse.tag=37a4a90d1e24ccd0b81e2657463b1cb280d69c13 \
  --set gitlab.sidekiq.image.repository=$REG/gitlab-sidekiq-ee \
  --set gitlab.sidekiq.image.tag=42e77d9ad2587fd0186edb936e6d3842328f0e13 \
  --set gitlab.toolbox.image.repository=$REG/gitlab-toolbox-ee \
  --set gitlab.toolbox.image.tag=74349c662ed1e3705cf1d5671990121f8eefed91 \
  --set gitlab.migrations.image.repository=$REG/gitlab-toolbox-ee \
  --set gitlab.migrations.image.tag=74349c662ed1e3705cf1d5671990121f8eefed91

    It's probably enough to specify just the gitlab.webservice.image overrides, but we might as well be thorough.

  7. Wait for the images to download and the new pods to spin up. You'll notice your existing kubectl port-forward closes automatically when the old pods are decommissioned; you can now just re-run the same command to open a port forward to the new one.

  8. Refresh the page; you might well need to open the Network tab in Safari and check "Disable Caches" or otherwise clear cache. You should see it render as the "After" image above, without errors in the console.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Asherah Connor

Merge request reports