Skip to content

Remove CSP values that were added for removed GKE feature

Dominic Couture requested to merge dcouture-remove-gke-csp into master

What does this MR do and why?

Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/336139

Since the removal of the form-based GKE creation page in #357309 (closed) there are some values in the CSP that aren't needed anymore. This MR removes them.

They were originally added to the .com GSP in this commit https://gitlab.com/gitlab-com/gl-infra/chef-repo/-/commit/f04a64a06706be6fd7fd0762a3291aa8c621f3e0 and then added to the Rails-based CSP because we simply copied the values over from .com.

Screenshots or screen recordings

N/A

How to set up and validate locally

Once the GDK is up and running run this command

$ curl -si http://gdk.test:3000/ | grep -i content-security-policy
Content-Security-Policy: base-uri 'self'; child-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com http://gdk.test:3000/assets/ blob: data:; connect-src 'self' http://gdk.test:3808 ws://gdk.test:3808 http://gdk.test:9091/ ws://gdk.test:3000 test.local; default-src 'self'; font-src 'self'; form-action 'self' https: http:; frame-ancestors 'self'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.googletagmanager.com/ns.html http://gdk.test:3000/rails/letter_opener/ http://gdk.test:3000/admin/ http://gdk.test:3000/assets/ http://gdk.test:3000/-/speedscope/index.html http://gdk.test:3000/-/sandbox/ https://customers.staging.gitlab.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self' data: blob: http: https:; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net 'nonce-zAFZIJHR5c4lmI0UXmYwGQ=='; style-src 'self' 'unsafe-inline'; worker-src http://gdk.test:3000/assets/ blob: data:

and observe that the values that were removed in this MR do not appear in the CSP

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports