diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-09-27 11:38:59 +0000 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-28 17:48:56 +0200 |
commit | 9989f9493513af633f537196d47120bb821d9350 (patch) | |
tree | 7e06e8c03c1a7196a88a2d7f65a4624f628b54f4 | |
parent | f006462d7b41381f83ba90463fc1b291034ee908 (diff) | |
download | gitlab-ce-9989f9493513af633f537196d47120bb821d9350.tar.gz |
Merge branch '22450-restrict-origin' into 'master'
Set a restrictive CORS policy for the API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450
See merge request !1998
Signed-off-by: Rémy Coutable <remy@rymai.me>
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | config/application.rb | 15 |
2 files changed, 14 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG index de08c7a8587..8489df5c9a2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 8.11.8 - Respect the fork_project permission when forking projects + - Set a restrictive CORS policy on the API for credentialed requests v 8.11.7 - Avoid conflict with admin labels when importing GitHub labels. !6158 diff --git a/config/application.rb b/config/application.rb index 4792f6670a8..1ebdb43d662 100644 --- a/config/application.rb +++ b/config/application.rb @@ -99,13 +99,24 @@ module Gitlab config.action_view.sanitized_allowed_protocols = %w(smb) - config.middleware.use Rack::Attack + config.middleware.insert_before Warden::Manager, Rack::Attack # Allow access to GitLab API from other domains - config.middleware.use Rack::Cors do + config.middleware.insert_before Warden::Manager, Rack::Cors do + allow do + origins Gitlab.config.gitlab.url + resource '/api/*', + credentials: true, + headers: :any, + methods: :any, + expose: ['Link'] + end + + # Cross-origin requests must not have the session cookie available allow do origins '*' resource '/api/*', + credentials: false, headers: :any, methods: :any, expose: ['Link'] |