Merge branch '22450-restrict-origin' into 'master'

Set a restrictive CORS policy for the API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450 See merge request !1998 Signed-off-by: Rémy Coutable <remy@rymai.me>

Merge branch '22450-restrict-origin' into 'master'
Set a restrictive CORS policy for the API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/22450 See merge request !1998 Signed-off-by: Rémy Coutable <remy@rymai.me>
50562ab8 · Douwe Maan · Rémy Coutable · e740d044 · 50562ab8 · 50562ab8
Commit 50562ab8 authored Sep 27, 2016 by Douwe Maan Committed by Rémy Coutable Sep 28, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 2 deletions

CHANGELOG CHANGELOG +1 -0

config/application.rb config/application.rb +13 -2

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,7 @@ Please view this file on the master branch, on stable branches it's out of date.

 v 8.10.11
  - Respect the fork_project permission when forking projects
+  - Set a restrictive CORS policy on the API for credentialed requests

 v 8.10.10
  - Allow the Rails cookie to be used for API authentication.

--- a/config/application.rb
+++ b/config/application.rb
@@ -94,13 +94,24 @@ module Gitlab

    config.action_view.sanitized_allowed_protocols = %w(smb)

-    config.middleware.use Rack::Attack
+    config.middleware.insert_before Warden::Manager, Rack::Attack

    # Allow access to GitLab API from other domains
-    config.middleware.use Rack::Cors do
+    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
      allow do
        origins '*'
        resource '/api/*',
+          credentials: false,
          headers: :any,
          methods: :any,
          expose: ['Link']