Allow self-hosted instances to render same-origin Iframe
What does this MR do and why?
Fixes omnibus-gitlab#6648, #349892 (comment 819864538)
It was found that the self-hosted instances without CSP enabled has the X-FRAME-OPTION value set as DENY
. This causes an issue with sandboxing mermaid diagrams which requires framing resources from the same origin.
This MR tries to update the header value to SAMEORIGIN
.
More details
- Using
SAMEORIGIN
for "X-Frame-Options" would allow GitLab instances to use iframe from the same origin - It's equivalent to
frame-ancestor
value that's proposed for the not-yet-enabled CSP https://gitlab.com/gitlab-org/gitlab/-/blob/d0eeb2830eecb0b99ca70edf818787f259523e25/lib/gitlab/content_security_policy/config_loader.rb#L21 - We already have
frame-ancestor
for gitlab.com as well as for GDK instances which overrides theX-Frame-Options
header.
Screenshots or screen recordings
before | after |
---|---|
The above screenshot is from review app, with manually injected "X-Frame-Options" header with the help of chrome extension.
How to set up and validate locally
- Disable CSP on your GDK
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 3c6606066cd..e1fa80e59bb 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -2,7 +2,7 @@
csp_settings = Settings.gitlab.content_security_policy
-csp_settings['enabled'] = Gitlab::ContentSecurityPolicy::ConfigLoader.default_enabled if csp_settings['enabled'].nil?
+csp_settings['enabled'] = false
csp_settings['report_only'] = false if csp_settings['report_only'].nil?
csp_settings['directives'] ||= {}
-
Create an issue with Mermaid diagram
-
It should render correctly with these MR changes
Alternatively, any latest GitLab instance (like review apps) can be verified with the help of Chrome extension (like ModHeader) by injecting X-FRAME-OPTIONS
Response header with value SAMEORIGIN
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.