Automatically adapt the CSP when snowplow is enabled
What does this MR do and why?
Related to #337973 (closed)
When the CSP is enabled (which is not the default value at the moment) and Snowplow is enabled after the fact, it's likely to break because of the CSP. This MR automatically modifies the CSP to allowlist the Snowplow host.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Note that ad blockers are likely to block the Snowplow script, make sure you don't have one enabled when testing this.
- Modify Snowplow the settings in
/admin/application_settings/general#js-snowplow-settings
to enable and set a Snowplow collector host. - Observe the CSP (
Content-Security-Policy
HTTP header) on the following controller requests in your browser. Usingcurl
is also an easy alternative (test.local
was the hostname I configured for Snowplow) - Observe that snowplow still works and sends requests to the snowplow host when navigating GitLab (requires HTTPS and CORS to be setup properly to test, the following request was sent when visiting a project page)
POST /com.snowplowanalytics.snowplow/tp2 HTTP/1.0
Host: snowplow.mytestdomain.example.com
Connection: close
Content-Length: 2308
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36
sec-ch-ua-platform: "macOS"
Content-Type: application/json; charset=UTF-8
Accept: */*
Origin: http://localhost:3000
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
{"schema":"iglu:com.snowplowanalytics.snowplow/payload_data/jsonschema/1-0-4","data":[{"e":"pp","url":"http://localhost:3000/dgdfg/wsdfsdf","page":"GitLab","pp_mix":"0","pp_max":"0","pp_miy":"0","pp_may":"0","tv":"js-2.17.3","tna":"gl","aid":"ajajaj","p":"web","tz":"America/New_York","lang":"en-US","cs":"UTF-8","f_pdf":"1","f_qt":"0","f_realp":"0","f_wma":"0","f_dir":"0","f_fla":"0","f_java":"0","f_gears":"0","f_ag":"0","res":"1680x1050","cd":"30","cookie":"1","eid":"84d54245-17ca-41ff-9a26-e644400ed6a4","dtm":"1644528144981","cx":"eyJzY ...snipped... Q0NTI4MTE0ODkwfX1dfQ","vp":"1680x520","ds":"1680x3634","vid":"1","sid":"0f1f10d5-224e-41e4-afe2-a273f2fd4493","duid":"7ebc7b40-b17a-4d46-bcba-d2cbb87bef4f","stm":"1644528144983"}]}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.