Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

author: Rémy Coutable <remy@rymai.me> 2016-09-29 19:02:59 +0200
committer: Rémy Coutable <remy@rymai.me> 2016-09-29 19:02:59 +0200
commit: 923a1f7ace53f4913284c384ae2a20a39a999f99 (patch)
tree: 2838062a7e53a84bf9de2b50f7d472f4ea63f5e9 /config/application.rb
parent: 0a42c6a2c965defe8a67dee2b8fbe1006b9988ce (diff)
parent: 0ee03af814c34d9c1cad8535b46ad65e96426c8e (diff)
download: gitlab-ce-923a1f7ace53f4913284c384ae2a20a39a999f99.tar.gz
1 files changed, 13 insertions, 2 deletions
diff --git a/config/application.rb b/config/application.rb
index 8166b6003f6..5dbe5a8120b 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -99,13 +99,24 @@ module Gitlab
 
     config.action_view.sanitized_allowed_protocols = %w(smb)
 
-    config.middleware.use Rack::Attack
+    config.middleware.insert_before Warden::Manager, Rack::Attack
 
     # Allow access to GitLab API from other domains
-    config.middleware.use Rack::Cors do
+    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
       allow do
         origins '*'
         resource '/api/*',
+          credentials: false,
           headers: :any,
           methods: :any,
           expose: ['Link']
author	Rémy Coutable <remy@rymai.me>	2016-09-29 19:02:59 +0200
committer	Rémy Coutable <remy@rymai.me>	2016-09-29 19:02:59 +0200
commit	923a1f7ace53f4913284c384ae2a20a39a999f99 (patch)
tree	2838062a7e53a84bf9de2b50f7d472f4ea63f5e9 /config/application.rb
parent	0a42c6a2c965defe8a67dee2b8fbe1006b9988ce (diff)
parent	0ee03af814c34d9c1cad8535b46ad65e96426c8e (diff)
download	gitlab-ce-923a1f7ace53f4913284c384ae2a20a39a999f99.tar.gz