Commit 38701389 authored by Nick Thomas's avatar Nick Thomas

Set a restrictive CORS policy on the API for credentialed requests

Cross-origin requests can still be made, as long as the client doesn't
use the Rails session cookie to do so. Existing clients should not
be setting 'withCredentials: true', so this should be fine.
parent ae583150
...@@ -103,9 +103,20 @@ module Gitlab ...@@ -103,9 +103,20 @@ module Gitlab
# Allow access to GitLab API from other domains # Allow access to GitLab API from other domains
config.middleware.insert_before Warden::Manager, Rack::Cors do config.middleware.insert_before Warden::Manager, Rack::Cors do
allow do
origins Gitlab.config.gitlab.url
resource '/api/*',
credentials: true,
headers: :any,
methods: :any,
expose: ['Link']
end
# Cross-origin requests must not have the session cookie available
allow do allow do
origins '*' origins '*'
resource '/api/*', resource '/api/*',
credentials: false,
headers: :any, headers: :any,
methods: :any, methods: :any,
expose: ['Link'] expose: ['Link']
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment