summaryrefslogtreecommitdiff
path: root/config/application.rb
diff options
context:
space:
mode:
authorNick Thomas <nick@gitlab.com>2016-09-22 13:21:55 +0100
committerNick Thomas <nick@gitlab.com>2016-09-26 13:05:01 +0100
commit3870138960b6918d999f879bed5e8d938ea43fae (patch)
tree048eb19fea94d6b17cbb00b004197c25901409c1 /config/application.rb
parentae5831500a953528ec79a87f1da52ced014f74d7 (diff)
downloadgitlab-ce-3870138960b6918d999f879bed5e8d938ea43fae.tar.gz
Set a restrictive CORS policy on the API for credentialed requests
Cross-origin requests can still be made, as long as the client doesn't use the Rails session cookie to do so. Existing clients should not be setting 'withCredentials: true', so this should be fine.
Diffstat (limited to 'config/application.rb')
-rw-r--r--config/application.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/config/application.rb b/config/application.rb
index 4f04687a5e4..1ebdb43d662 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -104,8 +104,19 @@ module Gitlab
# Allow access to GitLab API from other domains
config.middleware.insert_before Warden::Manager, Rack::Cors do
allow do
+ origins Gitlab.config.gitlab.url
+ resource '/api/*',
+ credentials: true,
+ headers: :any,
+ methods: :any,
+ expose: ['Link']
+ end
+
+ # Cross-origin requests must not have the session cookie available
+ allow do
origins '*'
resource '/api/*',
+ credentials: false,
headers: :any,
methods: :any,
expose: ['Link']