Fix cookies not having a SameSite attribute (#15098)

4 years ago · acc1c03861
parent 9b1f2a4b61
commit acc1c03861
3 changed files with 9 additions and 1 deletions
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -10,6 +10,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
    expires: 1.year.from_now,
    httponly: true,
    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+    same_site: :lax,
  }
 end

@ -20,6 +21,7 @@ Warden::Manager.after_fetch do |user, warden|
      expires: 1.year.from_now,
      httponly: true,
      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+      same_site: :lax,
    }
  else
    warden.logout
--- a/config/initializers/makara.rb
+++ b/config/initializers/makara.rb
@ -0,0 +1,2 @@
+Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
+Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -1,3 +1,7 @@
 # Be sure to restart your server when you modify this file.

-Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true')
+Rails.application.config.session_store :cookie_store, {
+  key: '_mastodon_session',
+  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+  same_site: :lax,
+}