diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-09-27 11:38:59 +0000 |
---|---|---|
committer | Ruben Davila <rdavila84@gmail.com> | 2016-09-28 11:00:23 -0500 |
commit | 93a4e438edc4afa64332d9169d447925a67b8ab5 (patch) | |
tree | a14088808c43bf42e1c10a9b9b94b829d9b5fd90 | |
parent | fe93a9b4ecf52d7cf861f0fae95c27448d43c015 (diff) | |
download | gitlab-ce-93a4e438edc4afa64332d9169d447925a67b8ab5.tar.gz |
Merge branch '22450-restrict-origin' into 'master'
Set a restrictive CORS policy for the API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450
See merge request !1998
-rw-r--r-- | config/application.rb | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb index 4792f6670a8..1ebdb43d662 100644 --- a/config/application.rb +++ b/config/application.rb @@ -99,13 +99,24 @@ module Gitlab config.action_view.sanitized_allowed_protocols = %w(smb) - config.middleware.use Rack::Attack + config.middleware.insert_before Warden::Manager, Rack::Attack # Allow access to GitLab API from other domains - config.middleware.use Rack::Cors do + config.middleware.insert_before Warden::Manager, Rack::Cors do + allow do + origins Gitlab.config.gitlab.url + resource '/api/*', + credentials: true, + headers: :any, + methods: :any, + expose: ['Link'] + end + + # Cross-origin requests must not have the session cookie available allow do origins '*' resource '/api/*', + credentials: false, headers: :any, methods: :any, expose: ['Link'] |