diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-09-27 14:38:59 +0300 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-28 19:32:58 +0300 |
commit | a74967505d75a81904ea57b20329982d5d7dfed0 (patch) | |
tree | 4b2534fbd55738b875b83d69f6a1c8f0aca1e7c0 | |
parent | 5af2bf0a44e44035dad5fa8be0dcf9a03f35fee5 (diff) |
Merge branch '22450-restrict-origin' into 'master'
Set a restrictive CORS policy for the API
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450
See merge request !1998
Signed-off-by: Rémy Coutable <remy@rymai.me>
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | config/application.rb | 15 |
2 files changed, 14 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG index fe90e6d2043..aa5cf06c189 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date. v 8.9.11 - Respect the fork_project permission when forking projects + - Set a restrictive CORS policy on the API for credentialed requests v 8.9.10 - Allow the Rails cookie to be used for API authentication. diff --git a/config/application.rb b/config/application.rb index 05fec995ed3..68585b6ba12 100644 --- a/config/application.rb +++ b/config/application.rb @@ -90,13 +90,24 @@ module Gitlab config.action_view.sanitized_allowed_protocols = %w(smb) - config.middleware.use Rack::Attack + config.middleware.insert_before Warden::Manager, Rack::Attack # Allow access to GitLab API from other domains - config.middleware.use Rack::Cors do + config.middleware.insert_before Warden::Manager, Rack::Cors do + allow do + origins Gitlab.config.gitlab.url + resource '/api/*', + credentials: true, + headers: :any, + methods: :any, + expose: ['Link'] + end + + # Cross-origin requests must not have the session cookie available allow do origins '*' resource '/api/*', + credentials: false, headers: :any, methods: :any, expose: ['Link'] |