Merge branch 'dz-api-x-frame' into 'security-9-2'

Restrict API X-Frame-Options to same origin See merge request !2103
author: DJ Mountney <david@twkie.net> 2017-06-08 09:54:24 -0700
committer: DJ Mountney <david@twkie.net> 2017-06-08 09:54:24 -0700
commit: e1d1a5240c98a427f2ef10f2a7cbee0c9a883834 (patch)
tree: 522fe74f2e5bd2464fc793918e1b1d3327f8df0f
parent: 982368dc55bbd22f82bf908f8af220056202a65a (diff)
download: gitlab-ce-e1d1a5240c98a427f2ef10f2a7cbee0c9a883834.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/api/api.rb b/lib/api/api.rb
index 88f91c07194..d767af36e8e 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -45,6 +45,7 @@ module API
     end
 
     before { allow_access_with_scope :api }
+    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
     before { Gitlab::I18n.locale = current_user&.preferred_language }
 
     after { Gitlab::I18n.use_default_locale }
author	DJ Mountney <david@twkie.net>	2017-06-08 09:54:24 -0700
committer	DJ Mountney <david@twkie.net>	2017-06-08 09:54:24 -0700
commit	e1d1a5240c98a427f2ef10f2a7cbee0c9a883834 (patch)
tree	522fe74f2e5bd2464fc793918e1b1d3327f8df0f
parent	982368dc55bbd22f82bf908f8af220056202a65a (diff)
download	gitlab-ce-e1d1a5240c98a427f2ef10f2a7cbee0c9a883834.tar.gz