Skip to content

Allow self-hosted instances to render same-origin Iframe

Dheeraj Joshirequested to merge
djadmin-fix-mermaid-sandbox-self-host into master

What does this MR do and why?

Fixes omnibus-gitlab#6648, #349892 (comment 819864538)

It was found that the self-hosted instances without CSP enabled has the X-FRAME-OPTION value set as DENY. This causes an issue with sandboxing mermaid diagrams which requires framing resources from the same origin.

This MR tries to update the header value to SAMEORIGIN.

More details

Screenshots or screen recordings

before after
image image

The above screenshot is from review app, with manually injected "X-Frame-Options" header with the help of chrome extension.

How to set up and validate locally

  1. Disable CSP on your GDK
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 3c6606066cd..e1fa80e59bb 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -2,7 +2,7 @@
 
 csp_settings = Settings.gitlab.content_security_policy
 
-csp_settings['enabled'] = Gitlab::ContentSecurityPolicy::ConfigLoader.default_enabled if csp_settings['enabled'].nil?
+csp_settings['enabled'] = false
 csp_settings['report_only'] = false if csp_settings['report_only'].nil?
 csp_settings['directives'] ||= {}

  1. Create an issue with Mermaid diagram

  2. It should render correctly with these MR changes

Alternatively, any latest GitLab instance (like review apps) can be verified with the help of Chrome extension (like ModHeader) by injecting X-FRAME-OPTIONS Response header with value SAMEORIGIN

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dheeraj Joshi

Merge request reports