Gitpod self-hosted does not allow access to SharedArrayBuffer

[blueberrymuffin3]

Bug description

Gitpod self-hosted adds the "cross-origin-opener-policy: same-origin-allow-popups" header to workspaces, which breaks apps that use SharedArrayBuffer.
The header is added here:

gitpod/components/proxy/conf/Caddyfile

Lines 49 to 56 in aa2c51c

	# workspace security headers
	(workspace_security_headers) {
	header {
	# Disallow sharing the same browsing context when opened in a popup
	Cross-Origin-Opener-Policy same-origin-allow-popups
	}
	import security_headers
	}

For some reason, this doesn't seem to affect gitpod.io

Steps to reproduce

1. Open https://github.com/blueberrymuffin3/gitpod-secure-context-test in gitpod.io and a self-hosted instance of gitpod
2. Tests pass for gitpod.io, but fail on self-hosted gitpod

Workspace affected

No response

Expected behavior

The test should pass on self-hosted Gitpod (i.e. window.SharedArrayBuffer should be defined).

Example repository

https://github.com/blueberrymuffin3/gitpod-secure-context-test

Anything else?

No response

[mrsimonemms]

Hi @blueberrymuffin3, I can't recreate this. I've got this running on gitpod.io and on my own self-hosted instance (set up using my k3s guide)

gitpod.io

My self-hosted instance

In both cases, I'm using your repo and then just going to port 3000 (due to a port conflict, the one on my self-hosted instance is running on port 3001, but that's the only difference)

What version of Gitpod are you running on your self-hosted instance?

[blueberrymuffin3]

I believe this only happens when accessing the app through the browser VS Code instance, as the header is added by the caddy proxy. Forwarding the port to localhost seems to avoid the issue.

[blueberrymuffin3]

I'm running version 2022.6.0, deployed with KOTS.

[blueberrymuffin3]

@mrsimonemms are you able to test accessing the app through VSCode browser instead of through localhost (i.e. 3000-workspace-name.ws.example.com)?

[mrsimonemms]

I normally use VSCode Desktop, but I've tried it in-browser as well - the results are the same between the two. I'm using the live preview extension for the test.

On Gitpod.io, I get:

window.parent (not an iframe): Not OK!
window.isSecureContext (headers): OK
window.SharedArrayBuffer: Not OK!

On my self-hosted instance, I get:

window.parent (not an iframe): Not OK!
window.isSecureContext (headers): OK
window.SharedArrayBuffer: Not OK!

These are different to what you get through a full browser (in my case, I use Firefox). I can't see any difference between the Gitpod.io and self-hosted outputs - if you get different, can you reopen this issue and add a short video demonstrating the different (Loom is pretty good for that)