Stop using 'self' in the CSP's frame-src directive

Dominic Couturerequested to merge
remove-self-frame-src into master

What does this MR do and why?

Related to #336136 (closed)

One part of &6363 (closed)

It fixes the CSP bypass described in the issue above. Once all known bypasses are patched, it will limit the impact of XSS on GitLab.

Screenshots or screen recordings

image

How to set up and validate locally

To see the change: Simply start the GDK locally and visit any page in the GitLab application and observe the Content-Security-Policy header in the response (present only in development mode)

To validate it didn't break anything: Visit pages where GitLab (the application) is framing itself

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports