Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhq

923a1f7a · Rémy Coutable · 0a42c6a2 · 0ee03af8 · 923a1f7a
Commit 923a1f7a authored Sep 29, 2016 by Rémy Coutable
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 2 deletions

config/application.rb config/application.rb +13 -2

No files found.
--- a/config/application.rb
+++ b/config/application.rb
@@ -99,13 +99,24 @@ module Gitlab

    config.action_view.sanitized_allowed_protocols = %w(smb)

-    config.middleware.use Rack::Attack
+    config.middleware.insert_before Warden::Manager, Rack::Attack

    # Allow access to GitLab API from other domains
-    config.middleware.use Rack::Cors do
+    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
      allow do
        origins '*'
        resource '/api/*',
+          credentials: false,
          headers: :any,
          methods: :any,
          expose: ['Link']