Add snowplow to the CSP of all controllers (!138117) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge dcouture-csp-snowplow-everywhere into master Nov 28, 2023

What does this MR do and why?

Snowplow was added to the CSP in ApplicationController but our Devise pages didn't have it and it's causing a lot of CSP errors (and missed data in snowplow too I would imagine!)

Currently this bug only affects the gprd-cny environment as far as production ~SaaS is concerned, gprd uses a hardcoded CSP which doesn't have this issue.

This MR uses the same technique that was used by @dblessing in Add BaseActionController to allow setting secur... (!131571 - merged). This MR was later reverted in !134542 (merged) for reasons unrelated to the BaseActionController. It was a great idea so I'm re-using it here!

Screenshots or screen recordings

N/A

How to set up and validate locally

Modify Snowplow the settings in /admin/application_settings/general#js-snowplow-settings to enable and set a Snowplow collector host.
Observe the CSP (Content-Security-Policy HTTP header) includes your Snowplow domain now on both "normal" (ApplicationController) pages and Devise pages (test.local was my Snowplow collector host)
```
$ curl -si http://gdk.test:3000/metrics | grep -o 'connect-src.*test.local'
connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 ws://gdk.test:3000 test.local
```

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 29, 2023 by Dominic Couture

Add snowplow to the CSP of all controllers

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports