Draft: Fix webpack dev-server for sandboxed mermaid
What does this MR do and why?
Follow-up from !76470 (comment 800740152). Main MR - !74414 (merged).
Feature context
- We added a new iframe to render
mermaid
diagrams, and the src for the iframe is/-/sandbox/mermaid
. - The iframe uses
sandbox
attribute (withoutallow-same-origin
) to prevent security issues originating from Mermaid libraryallow-same-origin: If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).
Problem
Any page rendering these mermaid diagrams would get a stream of webpack errors. It makes it a bit annoying to use browser console and potentially impact developer productivity.
- Error: (ref screenshot section )
> Invalid Host/Origin header
> [WDS] Disconnected!
Code references
- The webpack bundle is added at https://gitlab.com/gitlab-org/gitlab/blob/b2383e8f5fb3d744ca0d6a24a23ff39a3622def6/app/views/sandbox/mermaid.html.erb#L4
<%= webpack_bundle_tag("sandboxed_mermaid") %>
- The Iframe element is added at https://gitlab.com/gitlab-org/gitlab/-/blob/ccf068e52003a0f774505c0b378994141a59745d/app/assets/javascripts/behaviors/markdown/render_sandboxed_mermaid.js#L91)
setAttributes(iframeEl, {
src: getSandboxFrameSrc(),
sandbox: 'allow-scripts',
frameBorder: 0,
scrolling: 'no',
width: '100%',
});
Potential Fix
Tried a fix by disabling host checking, but that's not ideal and can lead to security issues. Looking for ideas for properly fixing the issue, maybe
- Maybe we can disable HMR for this particular bundle?
- Maybe we can add
null
origin to the allowed list. Need to check with security implications though
Screenshots or screen recordings
before | after (no errors) |
---|---|
How to set up and validate locally
-
Enable the feature flag
Feature.enable(:sandboxed_mermaid)
-
Create an issue / MR and generate mermaid diagrams
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.