Skip to content

Add customers-dot URL to CSP not only in dev

Dominic Couture requested to merge dcouture-customers-dot-csp into master

What does this MR do and why?

It adds customers-dot URL to the frame-src directive of the CSP even when not in dev.

This solves an issue encountered while testing https://gitlab.com/gitlab-org/gitlab/-/issues/357156 on staging following the deployment of gitlab-com/gl-infra/k8s-workloads/gitlab-com!1613 (merged) earlier today. Related slack thread https://gitlab.slack.com/archives/CMJ8JR0RH/p1649170650589569 (internal)

Note that this is already hardcoded in the CSP on .com (here, last value on the line).

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

$ echo 'export CUSTOMER_PORTAL_URL="https://customers.gitlab.local"' >> ../.gdkrc.custom
$ gdk restart rails-web
ok: down: /Users/dcouture/gdk/gitlab.com/services/rails-web: 0s
ok: run: /Users/dcouture/gdk/gitlab.com/services/rails-web: (pid 88997) 1s, normally down
$ # Wait until GDK is up
$ curl http://127.0.0.1:3000 -si | grep customers.gitlab.local
Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://127.0.0.1:3000/rails/letter_opener/ http://127.0.0.1:3000/admin/ http://127.0.0.1:3000/assets/ http://127.0.0.1:3000/-/speedscope/index.html http://127.0.0.1:3000/-/sandbox/mermaid https://customers.gitlab.local http://127.0.0.1:3000/assets/ blob: data:; connect-src 'self' http://127.0.0.1:3808 ws://127.0.0.1:3808 ws://127.0.0.1:3000; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html http://127.0.0.1:3000/rails/letter_opener/ http://127.0.0.1:3000/admin/ http://127.0.0.1:3000/assets/ http://127.0.0.1:3000/-/speedscope/index.html http://127.0.0.1:3000/-/sandbox/mermaid https://customers.gitlab.local; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com 'nonce-ICwdwHKkI7+67EFfwpmIBA=='; style-src 'self' 'unsafe-inline'; worker-src http://127.0.0.1:3000/assets/ blob: data:

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports