CSP bug when previewing PDF using LFS object storage without `proxy_download`
Summary
Related to #248100 (closed), when proxy_download
is set to false
and LFS is configured with an external object storage there will be CSP errors (when it's enabled) when previewing LFS PDF files (and possibly other file formats we offer previews for?). This is because the page issues a fetch
request and the connect-src
directive of the CSP doesn't allow the remote file storage URL.
But we should probably add the LFS object storage endpoint if proxy downloading is disabled.
Steps to reproduce
- Enable the CSP (default enabled in dev and test)
- Enable
proxy_download
in gitlab.yml (copyobject_store:
config from gdk.yml.example to gdk.yml and setconsolidated_form: true
,enabled: true
and addproxy_download: false
)object_store: backup_remote_directory: '' connection: provider: AWS aws_access_key_id: minio aws_secret_access_key: gdk-minio region: gdk endpoint: http://127.0.0.1:9000 path_style: true console_port: 9002 consolidated_form: true proxy_download: false enabled: true host: 127.0.0.1 objects: artifacts: bucket: artifacts external_diffs: bucket: external-diffs lfs: bucket: lfs-objects uploads: bucket: uploads packages: bucket: packages dependency_proxy: bucket: dependency-proxy terraform_state: bucket: terraform pages: bucket: pages port: 9000
- Enable LFS and push a PDF file (or import https://gitlab.com/LER0ever/pdf-preview-issue)
- Visit the LFS PDF in the project and observe the preview failing to load (
An error occurred while loading the file. Please try again later.
) and CSP errors in the browser console
Example Project
What is the current bug behavior?
PDF preview doesn't work with LFS, proxy_download
to false
and external object storage
What is the expected correct behavior?
CSP should adapt seamlessly
Relevant logs and/or screenshots
Output of checks
Reproduced on latest GDK
Possible fixes
- Fix the
worker-src
to allow for thepdf.js
worker to load (e.g. allow<project path>/raw/:ref
)- Fix the
connect-src
to allow forProjects::RawController#show
to access the object storage endpoint.
However, the tricky part here is that we don't actually know the hostname until we generate a presigned URL.
Edited by Joe Woodward