Set a restrictive CORS policy on the API for credentialed requests

Cross-origin requests can still be made, as long as the client doesn't use the Rails session cookie to do so. Existing clients should not be setting 'withCredentials: true', so this should be fine.

Set a restrictive CORS policy on the API for credentialed requests
Cross-origin requests can still be made, as long as the client doesn't use the Rails session cookie to do so. Existing clients should not be setting 'withCredentials: true', so this should be fine.
38701389 · Nick Thomas · ae583150 · 38701389
Commit 38701389 authored Sep 22, 2016 by Nick Thomas
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

config/application.rb config/application.rb +11 -0

No files found.
--- a/config/application.rb
+++ b/config/application.rb
@@ -103,9 +103,20 @@ module Gitlab

    # Allow access to GitLab API from other domains
    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
      allow do
        origins '*'
        resource '/api/*',
+          credentials: false,
          headers: :any,
          methods: :any,
          expose: ['Link']