Fix CSP problems with Jira connect self-managed
What does this MR do and why?
This fixes the CORS problem described here: !89378 (comment 973388865)
The fix has two parts:
- Allow a self-managed instance as connect-src
- This is done with the changes in
app/controllers/jira_connect/subscriptions_controller.rb - It lists the self-manage instance as a trusted source so we can request it through javascript
- This is done with the changes in
- Add GitLab.com as a trusted origin for
/-/jira_connect/oauth_application_idendpoint.- This is done with the changes in
config/application.rb - it enables the self-managed instance to receive requests from GitLab.com
- This is done with the changes in
How to set up and validate locally
- Enable the
jira_connect_oauth_self_managedfeature in Rails consoleFeature.enable(:jira_connect_oauth_self_managed) - Enable the
jira_connect_oauthfeature in Rails consoleFeature.enable(:jira_connect_oauth) - Go to
http://localhost:3000/admin/application_settings/general - Expand GitLab for Jira App
- Enter
1234and click Save changes - Run the preflight request
curl --head --location --request OPTIONS 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' --header 'Origin: http://notgitlab.com' - Verify that the response headers contain
Access-Control-Allow-Origin: * - Run the actual request
curl --head --location --request GET 'http://127.0.0.1:3000/-/jira_connect/oauth_application_id' --header 'Origin: http://notgitlab.com' - Verify that the response headers contain
Access-Control-Allow-Origin: *
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Andy Schoenen