Merge branch '22450-restrict-origin' into 'master'

Set a restrictive CORS policy for the API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450 See merge request !1998
author: Douwe Maan <douwe@gitlab.com> 2016-09-27 11:38:59 +0000
committer: Ruben Davila <rdavila84@gmail.com> 2016-09-28 11:00:23 -0500
commit: 93a4e438edc4afa64332d9169d447925a67b8ab5 (patch)
tree: a14088808c43bf42e1c10a9b9b94b829d9b5fd90
parent: fe93a9b4ecf52d7cf861f0fae95c27448d43c015 (diff)
download: gitlab-ce-93a4e438edc4afa64332d9169d447925a67b8ab5.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb
index 4792f6670a8..1ebdb43d662 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -99,13 +99,24 @@ module Gitlab
 
     config.action_view.sanitized_allowed_protocols = %w(smb)
 
-    config.middleware.use Rack::Attack
+    config.middleware.insert_before Warden::Manager, Rack::Attack
 
     # Allow access to GitLab API from other domains
-    config.middleware.use Rack::Cors do
+    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
       allow do
         origins '*'
         resource '/api/*',
+          credentials: false,
           headers: :any,
           methods: :any,
           expose: ['Link']
author	Douwe Maan <douwe@gitlab.com>	2016-09-27 11:38:59 +0000
committer	Ruben Davila <rdavila84@gmail.com>	2016-09-28 11:00:23 -0500
commit	93a4e438edc4afa64332d9169d447925a67b8ab5 (patch)
tree	a14088808c43bf42e1c10a9b9b94b829d9b5fd90
parent	fe93a9b4ecf52d7cf861f0fae95c27448d43c015 (diff)
download	gitlab-ce-93a4e438edc4afa64332d9169d447925a67b8ab5.tar.gz