Stop using 'self' in the CSP's frame-src directive
What does this MR do and why?
Related to #336136 (closed)
One part of &6363
It fixes the CSP bypass described in the issue above. Once all known bypasses are patched, it will limit the impact of XSS on GitLab.
Screenshots or screen recordings
How to set up and validate locally
To see the change: Simply start the GDK locally and visit any page in the GitLab application and observe the Content-Security-Policy
header in the response (present only in development mode)
To validate it didn't break anything: Visit pages where GitLab (the application) is framing itself
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Dominic Couture