From 36260d1462bd08d3852ce36c46fd58028ca281b0 Mon Sep 17 00:00:00 2001
From: erezrokah <erezrokah@users.noreply.github.com>
Date: Sat, 11 Jan 2020 22:22:53 +0200
Subject: [PATCH 1/2] fix: add missing Access-Control-Expose-Headers values

---
 config/application.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index f9cc1cb543a74e..48ec9bb314095c 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -235,7 +235,7 @@ class Application < Rails::Application
           credentials: true,
           headers: :any,
           methods: :any,
-          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page]
+          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
       end
 
       # Cross-origin requests must not have the session cookie available
@@ -245,7 +245,7 @@ class Application < Rails::Application
           credentials: false,
           headers: :any,
           methods: :any,
-          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page]
+          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
       end
     end
 
-- 
GitLab


From f36a4d6d7982175d97506f14429208be53848caf Mon Sep 17 00:00:00 2001
From: erezrokah <erezrokah@users.noreply.github.com>
Date: Wed, 15 Jan 2020 09:10:27 +0200
Subject: [PATCH 2/2] refactor: extract headers to expose to a variable

---
 config/application.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index 48ec9bb314095c..3ebd4a3bc36c44 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -229,13 +229,15 @@ class Application < Rails::Application
 
     # Allow access to GitLab API from other domains
     config.middleware.insert_before Warden::Manager, Rack::Cors do
+      headers_to_expose = %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
+
       allow do
         origins Gitlab.config.gitlab.url
         resource '/api/*',
           credentials: true,
           headers: :any,
           methods: :any,
-          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
+          expose: headers_to_expose
       end
 
       # Cross-origin requests must not have the session cookie available
@@ -245,7 +247,7 @@ class Application < Rails::Application
           credentials: false,
           headers: :any,
           methods: :any,
-          expose: %w[Link X-Total X-Total-Pages X-Per-Page X-Page X-Next-Page X-Prev-Page X-Gitlab-Blob-Id X-Gitlab-Commit-Id X-Gitlab-Content-Sha256 X-Gitlab-Encoding X-Gitlab-File-Name X-Gitlab-File-Path X-Gitlab-Last-Commit-Id X-Gitlab-Ref X-Gitlab-Size]
+          expose: headers_to_expose
       end
     end
 
-- 
GitLab