Commit 38701389 authored by Nick Thomas's avatar Nick Thomas

Set a restrictive CORS policy on the API for credentialed requests

Cross-origin requests can still be made, as long as the client doesn't
use the Rails session cookie to do so. Existing clients should not
be setting 'withCredentials: true', so this should be fine.
parent ae583150
......@@ -103,9 +103,20 @@ module Gitlab
# Allow access to GitLab API from other domains
config.middleware.insert_before Warden::Manager, Rack::Cors do
allow do
origins Gitlab.config.gitlab.url
resource '/api/*',
credentials: true,
headers: :any,
methods: :any,
expose: ['Link']
end
# Cross-origin requests must not have the session cookie available
allow do
origins '*'
resource '/api/*',
credentials: false,
headers: :any,
methods: :any,
expose: ['Link']
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment