Allow additional cookies during xd requests

Some HTTP servers sitting in front of Gerrit may have additional authentication demands beyond what Gerrit requires for the xd request format. Allow xd requests with additional cookies to support these servers to authenticate requests and forward to Gerrit. Change-Id: I11562ab19c052dda5647cccb29265368e45a1159
2017-08-09 07:37:59 -07:00 · 2017-08-09 07:37:59 -07:00 · 1b5b6ab3c8
commit 1b5b6ab3c8
parent 7cf423d608
2 changed files with 6 additions and 0 deletions
--- a/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/change/CorsIT.java
+++ b/gerrit-acceptance-tests/src/test/java/com/google/gerrit/acceptance/rest/change/CorsIT.java
@ -212,6 +212,11 @@ public class CorsIT extends AbstractDaemonTest {
    Header allowOrigin = r.getFirstHeader(ACCESS_CONTROL_ALLOW_ORIGIN);
    assertThat(allowOrigin).named(ACCESS_CONTROL_ALLOW_ORIGIN).isNotNull();
    assertThat(allowOrigin.getValue()).named(ACCESS_CONTROL_ALLOW_ORIGIN).isEqualTo(origin);
+
+    Header allowAuth = r.getFirstHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS);
+    assertThat(allowAuth).named(ACCESS_CONTROL_ALLOW_CREDENTIALS).isNotNull();
+    assertThat(allowAuth.getValue()).named(ACCESS_CONTROL_ALLOW_CREDENTIALS).isEqualTo("true");
+
    checkTopic(change, "test-xd");
  }

--- a/gerrit-httpd/src/main/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
+++ b/gerrit-httpd/src/main/java/com/google/gerrit/httpd/restapi/RestApiServlet.java
@ -554,6 +554,7 @@ public class RestApiServlet extends HttpServlet {
      }
      res.addHeader(VARY, ORIGIN);
      res.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, origin);
+      res.setHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    } else if (!Strings.isNullOrEmpty(origin)) {
      // All other requests must be processed, but conditionally set CORS headers.
      if (globals.allowOrigin != null) {