Merge branch 'fix/expose_missing_headers' into 'master'

fix: add missing Access-Control-Expose-Headers values Closes #194897 See merge request gitlab-org/gitlab!22838

Merge branch 'fix/expose_missing_headers' into 'master'
fix: add missing Access-Control-Expose-Headers values Closes #194897 See merge request gitlab-org/gitlab!22838
228ed00a · Ash McKenzie · 3029be8b · f36a4d6d · 228ed00a
Commit 228ed00a authored Jan 16, 2020 by Ash McKenzie
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

config/application.rb config/application.rb +4 -2

No files found.
--- a/config/application.rb
+++ b/config/application.rb
@@ -229,13 +229,15 @@ module Gitlab
    # Allow access to GitLab API from other domains
    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      headers_to_expose = %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
      allow do
        origins Gitlab.config.gitlab.url
        resource '/api/*',
          credentials: true,
          headers: :any,
          methods: :any,
-          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page]
+          expose: headers_to_expose
      end
      # Cross-origin requests must not have the session cookie available
@@ -245,7 +247,7 @@ module Gitlab
          credentials: false,
          headers: :any,
          methods: :any,
-          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page]
+          expose: headers_to_expose
      end
    end