diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-05-23 18:49:44 +0000 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-05-26 05:21:47 +0000 |
| commit | 2ef4828fdc13ee69ec38ef87535c65bf32d0620d (patch) | |
| tree | 8dd1a1183b6dc2c99d4194798b77a3d39bdb4441 | |
| parent | a4ed0931ef2e70b1095f0f783793615dbcc1f968 (diff) | |
| download | gitlab-ce-2ef4828fdc13ee69ec38ef87535c65bf32d0620d.tar.gz | |
Merge branch 'dz-api-x-frame' into 'security-9-2'
Restrict API X-Frame-Options to same origin
See merge request !2103
| -rw-r--r-- | changelogs/unreleased/dz-api-x-frame.yml | 4 | ||||
| -rw-r--r-- | lib/api/api.rb | 1 |
2 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/dz-api-x-frame.yml b/changelogs/unreleased/dz-api-x-frame.yml new file mode 100644 index 00000000000..0483a9e076a --- /dev/null +++ b/changelogs/unreleased/dz-api-x-frame.yml @@ -0,0 +1,4 @@ +--- +title: Restrict API X-Frame-Options to same origin +merge_request: +author: diff --git a/lib/api/api.rb b/lib/api/api.rb index 1bf20f76ad6..6b78443cbcb 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -44,6 +44,7 @@ module API end before { allow_access_with_scope :api } + before { header['X-Frame-Options'] = 'SAMEORIGIN' } rescue_from Gitlab::Access::AccessDeniedError do rack_response({ 'message' => '403 Forbidden' }.to_json, 403) |