Set a restrictive CORS policy on the API for credentialed requests

Cross-origin requests can still be made, as long as the client doesn't use the Rails session cookie to do so. Existing clients should not be setting 'withCredentials: true', so this should be fine.
author: Nick Thomas <nick@gitlab.com> 2016-09-22 13:21:55 +0100
committer: Nick Thomas <nick@gitlab.com> 2016-09-26 13:05:01 +0100
commit: 3870138960b6918d999f879bed5e8d938ea43fae (patch)
tree: 048eb19fea94d6b17cbb00b004197c25901409c1 /config
parent: ae5831500a953528ec79a87f1da52ced014f74d7 (diff)
download: gitlab-ce-3870138960b6918d999f879bed5e8d938ea43fae.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/config/application.rb b/config/application.rb
index 4f04687a5e4..1ebdb43d662 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -104,8 +104,19 @@ module Gitlab
     # Allow access to GitLab API from other domains
     config.middleware.insert_before Warden::Manager, Rack::Cors do
       allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
+      allow do
         origins '*'
         resource '/api/*',
+          credentials: false,
           headers: :any,
           methods: :any,
           expose: ['Link']
author	Nick Thomas <nick@gitlab.com>	2016-09-22 13:21:55 +0100
committer	Nick Thomas <nick@gitlab.com>	2016-09-26 13:05:01 +0100
commit	3870138960b6918d999f879bed5e8d938ea43fae (patch)
tree	048eb19fea94d6b17cbb00b004197c25901409c1 /config
parent	ae5831500a953528ec79a87f1da52ced014f74d7 (diff)
download	gitlab-ce-3870138960b6918d999f879bed5e8d938ea43fae.tar.gz