diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-05-23 18:49:44 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-05-26 06:15:41 +0000 |
| commit | 34c6aee6e684a4eb9e5b040025836bb4abd83e82 (patch) | |
| tree | c2dd61d879c3b07e68dcf6fae4b54539a3a1bc1c | |
| parent | 810cc51be37e03ebbe99711a53663956e4ffde8c (diff) | |
| download | gitlab-ce-34c6aee6e684a4eb9e5b040025836bb4abd83e82.tar.gz | |
Merge branch 'dz-api-x-frame' into 'security-9-2'
Restrict API X-Frame-Options to same origin
See merge request !2103
| -rw-r--r-- | changelogs/unreleased/dz-api-x-frame.yml | 4 | ||||
| -rw-r--r-- | lib/api/api.rb | 1 |
2 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/dz-api-x-frame.yml b/changelogs/unreleased/dz-api-x-frame.yml new file mode 100644 index 00000000000..0483a9e076a --- /dev/null +++ b/changelogs/unreleased/dz-api-x-frame.yml @@ -0,0 +1,4 @@ +--- +title: Restrict API X-Frame-Options to same origin +merge_request: +author: diff --git a/lib/api/api.rb b/lib/api/api.rb index 1bf20f76ad6..6b78443cbcb 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -44,6 +44,7 @@ module API end before { allow_access_with_scope :api } + before { header['X-Frame-Options'] = 'SAMEORIGIN' } rescue_from Gitlab::Access::AccessDeniedError do rack_response({ 'message' => '403 Forbidden' }.to_json, 403) |