[go: up one dir, main page]

After upgrading to 5.7.0 Mermaid flowcharts fail to load due to connection refused

Summary

After I've updated GitLab to the latest version mermaid charts fail to load because the X-Frame-Options is set to deny.

Steps to reproduce

Upgraded to chart version 5.7.0 and looked at a wiki page with an embedded mermaid chart. This chart fails to load due to chrome blocking it.

Configuration used

global:
  edition: ce
  ## doc/charts/globals.md#configure-appconfig-settings
  ## Rails based portions of this chart share many settings
  appConfig:
    ## doc/charts/globals.md#general-application-settings
    contentSecurityPolicy:
      enabled: false
      report_only: false

I've also tried:

global:
  edition: ce
  ## doc/charts/globals.md#configure-appconfig-settings
  ## Rails based portions of this chart share many settings
  appConfig:
    contentSecurityPolicy:
      enabled: true
      report_only: false
      directives:
        default_src: "'self'"
        script_src: "'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com"
        frame_ancestor: "'self'"
        frame_src: "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
        img_src: "* data: blob:"
        style_src: "'self' 'unsafe-inline'"

but alas, this also didn't fix the issue. The content-security-policy header is correctly set, but the x-frame-options appears to have a higher priority to deny the frame than the CSP.

Current behavior

The X-Frame-Options is set to 'deny', resulting in a chrome error stating that the server refused to connect to the client.

Expected behavior

The Mermaid chart should properly load.

Versions

  • Chart: 5.7.0
  • Platform:
    • Cloud: GKE
  • Kubernetes: (kubectl version)
    • Client: 1.23.3
    • Server: 1.21.5-gke.1802
  • Helm: (helm version)
    • Client: 3.8.0
    • Server: n.a.

Relevant logs

Refused to display 'https://gitlab.<hostname>/' in a frame because it set 'X-Frame-Options' to 'deny'.

Workaround

By setting the following configuration:

global:
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/configuration-snippet: |
        more_clear_headers "X-Frame-Options";

I was able to load the file, but clearing the X-Frame-Options header doesn't seem to be the correct solution.

Edited by Sander Verkuil