[go: up one dir, main page]
Skip to content

After upgrading to 5.7.0 Mermaid flowcharts fail to load due to connection refused

Summary

After I've updated GitLab to the latest version mermaid charts fail to load because the X-Frame-Options is set to deny.

Steps to reproduce

Upgraded to chart version 5.7.0 and looked at a wiki page with an embedded mermaid chart. This chart fails to load due to chrome blocking it.

Configuration used

global:
  edition: ce
  ## doc/charts/globals.md#configure-appconfig-settings
  ## Rails based portions of this chart share many settings
  appConfig:
    ## doc/charts/globals.md#general-application-settings
    contentSecurityPolicy:
      enabled: false
      report_only: false

I've also tried:

global:
  edition: ce
  ## doc/charts/globals.md#configure-appconfig-settings
  ## Rails based portions of this chart share many settings
  appConfig:
    contentSecurityPolicy:
      enabled: true
      report_only: false
      directives:
        default_src: "'self'"
        script_src: "'self' 'unsafe-inline' 'unsafe-eval' https://www.recaptcha.net https://apis.google.com"
        frame_ancestor: "'self'"
        frame_src: "'self' https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com"
        img_src: "* data: blob:"
        style_src: "'self' 'unsafe-inline'"

but alas, this also didn't fix the issue. The content-security-policy header is correctly set, but the x-frame-options appears to have a higher priority to deny the frame than the CSP.

Current behavior

The X-Frame-Options is set to 'deny', resulting in a chrome error stating that the server refused to connect to the client.

Expected behavior

The Mermaid chart should properly load.

Versions

  • Chart: 5.7.0
  • Platform:
    • Cloud: GKE
  • Kubernetes: (kubectl version)
    • Client: 1.23.3
    • Server: 1.21.5-gke.1802
  • Helm: (helm version)
    • Client: 3.8.0
    • Server: n.a.

Relevant logs

Refused to display 'https://gitlab.<hostname>/' in a frame because it set 'X-Frame-Options' to 'deny'.

Workaround

By setting the following configuration:

global:
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/configuration-snippet: |
        more_clear_headers "X-Frame-Options";

I was able to load the file, but clearing the X-Frame-Options header doesn't seem to be the correct solution.

Edited by Sander Verkuil