From ed1fedeeb773f7668d27733d0a0272ac3dc365d2 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Wed, 22 May 2024 17:28:21 +0200 Subject: [PATCH 1/7] Add option to add custom html header tags via gitlab.yml config In some cases such as adding the EU cookie consent, custom tags within the html header are needed. Closes https://gitlab.com/gitlab-org/gitlab/-/issues/444193 Changelog: added --- app/views/layouts/_head.html.haml | 4 +++ config/gitlab.yml.example | 7 +++++ config/initializers/1_settings.rb | 1 + doc/administration/configure.md | 1 + doc/administration/custom_html_header_tags.md | 29 +++++++++++++++++++ spec/views/layouts/_head.html.haml_spec.rb | 11 +++++++ 6 files changed, 53 insertions(+) create mode 100644 doc/administration/custom_html_header_tags.md diff --git a/app/views/layouts/_head.html.haml b/app/views/layouts/_head.html.haml index 34858a52204136..73ae623b81b1ce 100644 --- a/app/views/layouts/_head.html.haml +++ b/app/views/layouts/_head.html.haml @@ -111,3 +111,7 @@ = render_if_exists "layouts/frontend_monitor" %meta{ name: "description", content: page_description } %meta{ name: 'theme-color', content: user_theme_primary_color } + + - if Gitlab.config.gitlab.respond_to?(:custom_html_header_tags) + - unless Gitlab.config.gitlab.custom_html_header_tags.empty? + = Gitlab.config.gitlab.custom_html_header_tags.html_safe diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 86457f339b82c1..2a25f0a5504273 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -139,6 +139,13 @@ production: &base ## 11 - Dark Mode (alpha) # default_theme: 1 # default: 1 + ## Custom html header tags + # In some cases some custom header tags are needed + # e.g., to add the EU cookie consent + # custom_html_header_tags: | # default: '' + # + # + ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. # This happens when the commit is pushed or merged into the default branch of a project. diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index feda8a86af6856..992dd63d2baacd 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -187,6 +187,7 @@ # `default_can_create_group` is deprecated since GitLab 15.5 in favour of the `can_create_group` column on `ApplicationSetting`. Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil? Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil? +Settings.gitlab['custom_html_header'] ||= Settings.gitlab['custom_html_header'] || '' Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost' Settings.gitlab['cdn_host'] ||= ENV['GITLAB_CDN_HOST'].presence Settings.gitlab['ssh_host'] ||= Settings.gitlab.host diff --git a/doc/administration/configure.md b/doc/administration/configure.md index 7ea3b19ea33cc2..df6f280e11d019 100644 --- a/doc/administration/configure.md +++ b/doc/administration/configure.md @@ -47,3 +47,4 @@ Customize and configure your self-managed GitLab installation. - [Issue closing pattern](../administration/issue_closing_pattern.md) - [Snippets](../administration/snippets/index.md) - [Host the product documentation](../administration/docs_self_host.md) +- [Custom HTML header tags](../administration/custom_html_header_tags.md) diff --git a/doc/administration/custom_html_header_tags.md b/doc/administration/custom_html_header_tags.md new file mode 100644 index 00000000000000..ff687120d35f3f --- /dev/null +++ b/doc/administration/custom_html_header_tags.md @@ -0,0 +1,29 @@ +--- +stage: Govern +group: Compliance +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments +description: Learn how to modify the HTML header tags of your GitLab instance. +--- + +# Custom HTML header tags + +DETAILS: +**Tier:** Free, Premium, Ultimate +**Offering:** Self-managed + +If you self-manage a GitLab instance in the EU, or any jurisdiction that +requires a cookie consent banner, additional HTML header tags are needed to +add scripts and stylesheets. + +For self-compiled installations: + +```yaml +gitlab: + custom_html_header_tags: | # default: '' + + +``` + +> **Note**: Limit the functionality you are adding by using HTML header tags to +the minimum. It could cause stability or functionality issues if you for example +interact with other application code from GitLab. diff --git a/spec/views/layouts/_head.html.haml_spec.rb b/spec/views/layouts/_head.html.haml_spec.rb index 5ef25bdbde42e0..992edcf95f3212 100644 --- a/spec/views/layouts/_head.html.haml_spec.rb +++ b/spec/views/layouts/_head.html.haml_spec.rb @@ -95,6 +95,17 @@ end end + context 'when custom_html_header_tags are set' do + before do + allow(Gitlab.config.gitlab).to receive(:custom_html_header_tags).and_return('') + end + + it 'adds the custom html header tag' do + render + expect(rendered).to match('') + end + end + context 'when an asset_host is set and snowplow url is set', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/346542' do let(:asset_host) { 'http://test.host' } let(:snowplow_collector_hostname) { 'www.snow.plow' } -- GitLab From e0e0372a877c66b069a46389019e40b427dd3854 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Sat, 25 May 2024 11:57:03 +0200 Subject: [PATCH 2/7] Incorporate review findings from Achilleas --- config/gitlab.yml.example | 2 +- config/initializers/1_settings.rb | 2 +- doc/administration/custom_html_header_tags.md | 14 +++++++------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 2a25f0a5504273..a13a37031c6bb7 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -142,7 +142,7 @@ production: &base ## Custom html header tags # In some cases some custom header tags are needed # e.g., to add the EU cookie consent - # custom_html_header_tags: | # default: '' + # custom_html_header_tags: | # # diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 992dd63d2baacd..1a37895853c4be 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -187,7 +187,7 @@ # `default_can_create_group` is deprecated since GitLab 15.5 in favour of the `can_create_group` column on `ApplicationSetting`. Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil? Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil? -Settings.gitlab['custom_html_header'] ||= Settings.gitlab['custom_html_header'] || '' +Settings.gitlab['custom_html_header_tags'] ||= Settings.gitlab['custom_html_header_tags'] || '' Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost' Settings.gitlab['cdn_host'] ||= ENV['GITLAB_CDN_HOST'].presence Settings.gitlab['ssh_host'] ||= Settings.gitlab.host diff --git a/doc/administration/custom_html_header_tags.md b/doc/administration/custom_html_header_tags.md index ff687120d35f3f..ba4b29afbf0dcb 100644 --- a/doc/administration/custom_html_header_tags.md +++ b/doc/administration/custom_html_header_tags.md @@ -15,15 +15,15 @@ If you self-manage a GitLab instance in the EU, or any jurisdiction that requires a cookie consent banner, additional HTML header tags are needed to add scripts and stylesheets. +You should limit the functionality you are adding by using HTML header tags to +the minimum. It could cause stability or functionality issues if you, for example, +interact with other application code from GitLab. + For self-compiled installations: ```yaml gitlab: - custom_html_header_tags: | # default: '' - - + custom_html_header_tags: | + + ``` - -> **Note**: Limit the functionality you are adding by using HTML header tags to -the minimum. It could cause stability or functionality issues if you for example -interact with other application code from GitLab. -- GitLab From 8d7852c0482296a27c1fcf4f6a0a6fda2a3b6afc Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Mon, 27 May 2024 08:30:35 +0000 Subject: [PATCH 3/7] Apply 2 suggestion(s) to 1 file(s) Co-authored-by: Achilleas Pipinellis --- doc/administration/custom_html_header_tags.md | 35 +++++++++++++++---- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/doc/administration/custom_html_header_tags.md b/doc/administration/custom_html_header_tags.md index ba4b29afbf0dcb..723fd86bb275cb 100644 --- a/doc/administration/custom_html_header_tags.md +++ b/doc/administration/custom_html_header_tags.md @@ -11,6 +11,8 @@ DETAILS: **Tier:** Free, Premium, Ultimate **Offering:** Self-managed +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/153877) in GitLab 17.1. + If you self-manage a GitLab instance in the EU, or any jurisdiction that requires a cookie consent banner, additional HTML header tags are needed to add scripts and stylesheets. @@ -19,11 +21,30 @@ You should limit the functionality you are adding by using HTML header tags to the minimum. It could cause stability or functionality issues if you, for example, interact with other application code from GitLab. -For self-compiled installations: +To add a custom HTML header tag: + +::Tabs + +:::TabTitle Self-compiled + +1. Edit `/home/git/gitlab/config/gitlab.yml`: + + ```yaml + production: &base + gitlab: + custom_html_header_tags: | + + + ``` + +1. Save the file and restart GitLab: + + ```shell + # For systems running systemd + sudo systemctl restart gitlab.target + + # For systems running SysV init + sudo service gitlab restart + ``` -```yaml -gitlab: - custom_html_header_tags: | - - -``` +::EndTabs -- GitLab From 42f9e95eb24786d3be572d1faf7fb16f2a7e7bd2 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Wed, 29 May 2024 12:41:39 +0200 Subject: [PATCH 4/7] Add hint about Content Security Policy --- config/gitlab.yml.example | 2 ++ doc/administration/custom_html_header_tags.md | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index a13a37031c6bb7..e5cecc7d1b66d3 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -142,6 +142,8 @@ production: &base ## Custom html header tags # In some cases some custom header tags are needed # e.g., to add the EU cookie consent + # Tip: you must add the externals source to the content_security_policy as + # well, typically the script_src and style_src. # custom_html_header_tags: | # # diff --git a/doc/administration/custom_html_header_tags.md b/doc/administration/custom_html_header_tags.md index 723fd86bb275cb..b041fda92174c2 100644 --- a/doc/administration/custom_html_header_tags.md +++ b/doc/administration/custom_html_header_tags.md @@ -21,6 +21,10 @@ You should limit the functionality you are adding by using HTML header tags to the minimum. It could cause stability or functionality issues if you, for example, interact with other application code from GitLab. +You must add the externals sources to the Content Security Policy which is +available within the `content_security_policy` option. For the example below you +must extend the `script_src` and `style_src`. + To add a custom HTML header tag: ::Tabs @@ -35,6 +39,10 @@ To add a custom HTML header tag: custom_html_header_tags: | + content_security_policy: + directives: + script_src: "'self' 'unsafe-eval' https://example.com http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" + style_src: "'self' 'unsafe-inline' https://example.com" ``` 1. Save the file and restart GitLab: -- GitLab From 7d2d011ad210600669d9e363c490a5c9e5efe35f Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Wed, 29 May 2024 19:56:37 +0000 Subject: [PATCH 5/7] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Achilleas Pipinellis --- config/gitlab.yml.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index e5cecc7d1b66d3..afb7697472e386 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -145,8 +145,8 @@ production: &base # Tip: you must add the externals source to the content_security_policy as # well, typically the script_src and style_src. # custom_html_header_tags: | - # - # + # + # ## Automatic issue closing # If a commit message matches this regular expression, all issues referenced from the matched text will be closed. -- GitLab From 23ad6dd0b3fbbe2a789096c3ee4d5a9c761bf976 Mon Sep 17 00:00:00 2001 From: Achilleas Pipinellis Date: Wed, 29 May 2024 21:24:23 +0000 Subject: [PATCH 6/7] Apply 1 suggestion(s) to 1 file(s) --- doc/administration/custom_html_header_tags.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/administration/custom_html_header_tags.md b/doc/administration/custom_html_header_tags.md index b041fda92174c2..075b538ba3b191 100644 --- a/doc/administration/custom_html_header_tags.md +++ b/doc/administration/custom_html_header_tags.md @@ -22,7 +22,7 @@ the minimum. It could cause stability or functionality issues if you, for exampl interact with other application code from GitLab. You must add the externals sources to the Content Security Policy which is -available within the `content_security_policy` option. For the example below you +available in the `content_security_policy` option. For the following example, you must extend the `script_src` and `style_src`. To add a custom HTML header tag: -- GitLab From b2049e882660c924d924415340631103d168d2bc Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Thu, 30 May 2024 12:34:57 +0000 Subject: [PATCH 7/7] Apply 2 suggestion(s) to 1 file(s) Co-authored-by: Achilleas Pipinellis --- doc/administration/custom_html_header_tags.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/doc/administration/custom_html_header_tags.md b/doc/administration/custom_html_header_tags.md index 075b538ba3b191..6a8b509411fa90 100644 --- a/doc/administration/custom_html_header_tags.md +++ b/doc/administration/custom_html_header_tags.md @@ -17,10 +17,22 @@ If you self-manage a GitLab instance in the EU, or any jurisdiction that requires a cookie consent banner, additional HTML header tags are needed to add scripts and stylesheets. -You should limit the functionality you are adding by using HTML header tags to -the minimum. It could cause stability or functionality issues if you, for example, +## Security implications + +Before enabling this feature, you should understand the security implications this might have. + +A previously legit external resource could end up being compromised and then used to extract +pretty much any data from any user in the GitLab instance. For that reason, +you should never add resources from untrusted external sources. If possible, you should always +use integrity checks like [Subresource Integrity](https://www.w3.org/TR/SRI/) with third-party +resources to confirm the authenticity of the resources that are loaded. + +Limit the functionality you are adding by using HTML header tags to the minimum. +Otherwise, it could cause also stability or functionality issues if you, for example, interact with other application code from GitLab. +## Add a custom HTML header tag + You must add the externals sources to the Content Security Policy which is available in the `content_security_policy` option. For the following example, you must extend the `script_src` and `style_src`. @@ -37,8 +49,8 @@ To add a custom HTML header tag: production: &base gitlab: custom_html_header_tags: | - - + + content_security_policy: directives: script_src: "'self' 'unsafe-eval' https://example.com http://localhost:* https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://www.gstatic.com/recaptcha/ https://apis.google.com" -- GitLab