Skip to content

Add GITLAB_CDN_HOST to frame-src and worker-src

Dominic Couture requested to merge add-cdn-to-frame-worker-csp into master

What does this MR do and why?

Related to #341434 (closed)

GITLAB_CDN_HOST was added to worker-src and frame-src directives of the CSP to have parity with .com

No changelog added as it's only affecting dev/test environment for now.

  • Current parent branch is remove-self-frame-src, remove Draft prefix when !71345 (merged) is merged

Screenshots or screen recordings

No visible changes

How to set up and validate locally

Run the following commands and observe that the CDN was included in the CSP header

$ export GITLAB_CDN_HOST='https://cdn.example.com'
$ gdk start
$ curl -si http://127.0.0.1:3000 | grep cdn.example.com
Content-Security-Policy: base-uri 'self'; child-src http://127.0.0.1:3000/admin/sidekiq http://127.0.0.1:3000/-/speedscope/index.html https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://cdn.example.com; connect-src 'self' ws://127.0.0.1:3000 http://127.0.0.1:3808 ws://127.0.0.1:3808; default-src 'self'; font-src 'self' https://cdn.example.com; form-action 'self' https: http:; frame-ancestors 'self'; frame-src http://127.0.0.1:3000/admin/sidekiq http://127.0.0.1:3000/-/speedscope/index.html https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://cdn.example.com; img-src 'self' data: blob: http: https:; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://cdn.example.com 'nonce-+t9V2/UEHG0zknM0H+H60g=='; style-src 'self' 'unsafe-inline' https://cdn.example.com; worker-src 'self' blob: data: https://cdn.example.com

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Dominic Couture

Merge request reports