summaryrefslogtreecommitdiff
path: root/config/application.rb
diff options
context:
space:
mode:
authorRémy Coutable <remy@rymai.me>2016-09-29 19:02:59 +0200
committerRémy Coutable <remy@rymai.me>2016-09-29 19:02:59 +0200
commit923a1f7ace53f4913284c384ae2a20a39a999f99 (patch)
tree2838062a7e53a84bf9de2b50f7d472f4ea63f5e9 /config/application.rb
parent0a42c6a2c965defe8a67dee2b8fbe1006b9988ce (diff)
parent0ee03af814c34d9c1cad8535b46ad65e96426c8e (diff)
downloadgitlab-ce-923a1f7ace53f4913284c384ae2a20a39a999f99.tar.gz
Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq
Diffstat (limited to 'config/application.rb')
-rw-r--r--config/application.rb15
1 files changed, 13 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb
index 8166b6003f6..5dbe5a8120b 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -99,13 +99,24 @@ module Gitlab
config.action_view.sanitized_allowed_protocols = %w(smb)
- config.middleware.use Rack::Attack
+ config.middleware.insert_before Warden::Manager, Rack::Attack
# Allow access to GitLab API from other domains
- config.middleware.use Rack::Cors do
+ config.middleware.insert_before Warden::Manager, Rack::Cors do
+ allow do
+ origins Gitlab.config.gitlab.url
+ resource '/api/*',
+ credentials: true,
+ headers: :any,
+ methods: :any,
+ expose: ['Link']
+ end
+
+ # Cross-origin requests must not have the session cookie available
allow do
origins '*'
resource '/api/*',
+ credentials: false,
headers: :any,
methods: :any,
expose: ['Link']