Merge branch 'dz-api-x-frame' into 'security-9-2'

Restrict API X-Frame-Options to same origin See merge request !2103
2017-06-08 09:54:24 -07:00 · 2017-06-08 09:54:24 -07:00 · e1d1a5240c
parent 982368dc55
commit e1d1a5240c
1 changed files with 1 additions and 0 deletions
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@ -45,6 +45,7 @@ module API
    end

    before { allow_access_with_scope :api }
+    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
    before { Gitlab::I18n.locale = current_user&.preferred_language }

    after { Gitlab::I18n.use_default_locale }