Include LFS object store URL in CSP connect-src
What does this MR do and why?
Fixes bug described in #375598 (closed)
Under certain conditions PDF files stored in LFS are blocked by our Content-Security-Policy.
This happens when the Content-Security-Policy headers are enabled and the LFS object storage config has set proxy_download
to false.
To fix this we include the the URL of the file in the CSP headers when the page is first loaded.
Screenshots or screen recordings
With CSP enabled and proxy_download set to false
Before changes
CSP headers
Request to fetch raw PDF file
Blocked by CSP
After changes
CSP headers
Request to fetch raw PDF File
Successfully redirected
How to set up and validate locally
- Enable the CSP (default enabled in dev and test)
- Enable
proxy_download
in gitlab.yml (copyobject_store:
config from gdk.yml.example to gdk.yml and setconsolidated_form: true
,enabled: true
and addproxy_download: false
)object_store: backup_remote_directory: '' connection: provider: AWS aws_access_key_id: minio aws_secret_access_key: gdk-minio region: gdk endpoint: http://127.0.0.1:9000 path_style: true console_port: 9002 consolidated_form: true proxy_download: false enabled: true host: 127.0.0.1 objects: artifacts: bucket: artifacts external_diffs: bucket: external-diffs lfs: bucket: lfs-objects uploads: bucket: uploads packages: bucket: packages dependency_proxy: bucket: dependency-proxy terraform_state: bucket: terraform pages: bucket: pages port: 9000
- Enable LFS and push a PDF file (or import https://gitlab.com/LER0ever/pdf-preview-issue)
- Visit the LFS PDF in the project and observe the preview loading (Previous error stated
An error occurred while loading the file. Please try again later.
)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Closes: #375598 (closed)