Fix issues with frame-src CSP directive (!72830) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge csp-frame-sidekiq-letteropener into master Oct 21, 2021

What does this MR do and why?

Following !71345 (merged) the sidekiq dashboard didn't work in development mode using chrome.

This is because when there is a path such as https://example.com/path in the CSP Chrome understands it as exactly that path and will block https://example.com/path/subpath. Firefox will accept that path and subpaths. However https://example.com/path/ only accepts subpaths and will block https://example.com/path. For this reason we need both /sidekiq/ and /sidekiq in the CSP.

In addition to that it was pointed out in !71345 (comment 710820794) that the letter opener stopped working so this MR addresses this issue as well.

Screenshots or screen recordings

No visual changes

How to set up and validate locally

Visit /admin/background_jobs in Chrome and change the tabs in the sidekiq dashboard. Validate that they all work.
Visit /rails/letter_opener/ and observe that the letter opener application works

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Oct 21, 2021 by Dominic Couture

Fix issues with frame-src CSP directive

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports