Skip to content

Automatically adapt the CSP when snowplow is enabled

Dominic Couture requested to merge dcouture-csp-snowplow into master

What does this MR do and why?

Related to #337973 (closed)

When the CSP is enabled (which is not the default value at the moment) and Snowplow is enabled after the fact, it's likely to break because of the CSP. This MR automatically modifies the CSP to allowlist the Snowplow host.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Note that ad blockers are likely to block the Snowplow script, make sure you don't have one enabled when testing this.

  1. Modify Snowplow the settings in /admin/application_settings/general#js-snowplow-settings to enable and set a Snowplow collector host.
  2. Observe the CSP (Content-Security-Policy HTTP header) on the following controller requests in your browser. Using curl is also an easy alternative (test.local was the hostname I configured for Snowplow) image
  3. Observe that snowplow still works and sends requests to the snowplow host when navigating GitLab (requires HTTPS and CORS to be setup properly to test, the following request was sent when visiting a project page)
POST /com.snowplowanalytics.snowplow/tp2 HTTP/1.0
Host: snowplow.mytestdomain.example.com
Connection: close
Content-Length: 2308
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
sec-ch-ua-platform: "macOS"
Content-Type: application/json; charset=UTF-8
Accept: */*
Origin: http://localhost:3000
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

{"schema":"iglu:com.snowplowanalytics.snowplow/payload_data/jsonschema/1-0-4","data":[{"e":"pp","url":"http://localhost:3000/dgdfg/wsdfsdf","page":"GitLab","pp_mix":"0","pp_max":"0","pp_miy":"0","pp_may":"0","tv":"js-2.17.3","tna":"gl","aid":"ajajaj","p":"web","tz":"America/New_York","lang":"en-US","cs":"UTF-8","f_pdf":"1","f_qt":"0","f_realp":"0","f_wma":"0","f_dir":"0","f_fla":"0","f_java":"0","f_gears":"0","f_ag":"0","res":"1680x1050","cd":"30","cookie":"1","eid":"84d54245-17ca-41ff-9a26-e644400ed6a4","dtm":"1644528144981","cx":"eyJzY ...snipped... Q0NTI4MTE0ODkwfX1dfQ","vp":"1680x520","ds":"1680x3634","vid":"1","sid":"0f1f10d5-224e-41e4-afe2-a273f2fd4493","duid":"7ebc7b40-b17a-4d46-bcba-d2cbb87bef4f","stm":"1644528144983"}]}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports