Customize the access-control-allow-origin response header
Summary
Need to customize the value of the access-control-allow-origin header.
Proposal
When the Origin request header is sent in the request to GitLab API, GitLab returns access-control-allow-origin: * response header.
The * value for this response header means "allow requesting code from any origin to access the resource".
A Premium Self-Managed customer wants to remove the wildcard and explicitly state the trusted sites.
Evidence
$ curl --head https://XXXXXXXXX/api/v4/groups/82 -H "Origin: https://example.com" -H "PRIVATE-TOKEN: glpat-XXXXXXXXXX"
HTTP/2 200
server: nginx
date: Thu, 11 Apr 2024 02:10:29 GMT
content-type: application/json
content-length: 0
access-control-allow-methods: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS
access-control-allow-origin: *
access-control-expose-headers: Link, X-Total, X-Total-Pages, X-Per-Page, X-Page, X-Next-Page, X-Prev-Page, X-Gitlab-Blob-Id, X-Gitlab-Commit-Id, X-Gitlab-Content-Sha256, X-Gitlab-Encoding, X-Gitlab-File-Name, X-Gitlab-File-Path, X-Gitlab-Last-Commit-Id, X-Gitlab-Ref, X-Gitlab-Size
access-control-max-age: 7200
cache-control: no-cache
vary: Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-gitlab-meta: {"correlation_id":"01HV5EQDTBNNKXKPFPPYNZFT4B","version":"1"}
x-request-id: 01HV5EQDTBNNKXKPFPPYNZFT4B
x-runtime: 0.599612
referrer-policy: strict-origin-when-cross-origin
$ curl --head https://XXXXXXXXX/api/v4/groups/82 -H "PRIVATE-TOKEN: glpat-XXXXXXXXXX"
HTTP/2 200
server: nginx
date: Thu, 11 Apr 2024 02:10:38 GMT
content-type: application/json
content-length: 0
cache-control: no-cache
vary: Origin
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-gitlab-meta: {"correlation_id":"01HV5EQPEARGS7VDSGT7STQB5N","version":"1"}
x-request-id: 01HV5EQPEARGS7VDSGT7STQB5N
x-runtime: 0.617838
referrer-policy: strict-origin-when-cross-origin