diff options
author | Nick Thomas <nick@gitlab.com> | 2016-09-22 13:21:55 +0100 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2016-09-26 13:05:01 +0100 |
commit | 3870138960b6918d999f879bed5e8d938ea43fae (patch) | |
tree | 048eb19fea94d6b17cbb00b004197c25901409c1 /config/application.rb | |
parent | ae5831500a953528ec79a87f1da52ced014f74d7 (diff) | |
download | gitlab-ce-3870138960b6918d999f879bed5e8d938ea43fae.tar.gz |
Set a restrictive CORS policy on the API for credentialed requests
Cross-origin requests can still be made, as long as the client doesn't
use the Rails session cookie to do so. Existing clients should not
be setting 'withCredentials: true', so this should be fine.
Diffstat (limited to 'config/application.rb')
-rw-r--r-- | config/application.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/config/application.rb b/config/application.rb index 4f04687a5e4..1ebdb43d662 100644 --- a/config/application.rb +++ b/config/application.rb @@ -104,8 +104,19 @@ module Gitlab # Allow access to GitLab API from other domains config.middleware.insert_before Warden::Manager, Rack::Cors do allow do + origins Gitlab.config.gitlab.url + resource '/api/*', + credentials: true, + headers: :any, + methods: :any, + expose: ['Link'] + end + + # Cross-origin requests must not have the session cookie available + allow do origins '*' resource '/api/*', + credentials: false, headers: :any, methods: :any, expose: ['Link'] |