Fix the sentry URL in the CSP (!92041) · Merge requests · GitLab.org / GitLab

Dominic Couture requested to merge dcouture-sentry-csp-host into master Jul 07, 2022

What does this MR do and why?

The URL added to the CSP's connect-src directive for Sentry is based on the Client DSN but the path following the host doesn't match the actual API path. This MR changes the behavior to only have the host in the CSP and not require any specific API path.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Modify gitlab.yml to enable Sentry

  ## Error Reporting and Logging with Sentry
  sentry:
    enabled: true
    dsn: https://key@sentry.example.com/project
    clientside_dsn: https://key@sentry.example.com/project
    environment: 'development' # e.g. development, staging, production

This is not a valid configuration but it's enough to test here.

Start the gdk

Navigate to the home page and observe the CSP in the console or fetch it with curl

$ curl -si http://127.0.0.1:3000 | grep -Eo 'connect-src .*sentry\.example\.com.*?;'
connect-src 'self' http://127.0.0.1:3808 ws://127.0.0.1:3808 ws://127.0.0.1:3000 https://sentry.example.com;

It should contain the Sentry server hostname (with scheme) but not the project path

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jul 08, 2022 by Dominic Couture

Fix the sentry URL in the CSP

What does this MR do and why?

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports