Drop dependency on secure_headers, fix response headers (#15712)
* Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatchth-downstream
parent
160154d798
commit
e47570388a
@ -1 +1,2 @@
|
||||
Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
|
||||
Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
|
||||
|
@ -1,10 +0,0 @@
|
||||
SecureHeaders::Configuration.default do |config|
|
||||
config.cookies = {
|
||||
secure: true,
|
||||
httponly: true,
|
||||
samesite: {
|
||||
lax: true
|
||||
}
|
||||
}
|
||||
config.csp = SecureHeaders::OPT_OUT
|
||||
end
|
@ -0,0 +1,15 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
module ActionDispatch
|
||||
module CookieJarExtensions
|
||||
private
|
||||
|
||||
# Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service
|
||||
# users. Otherwise, ActionDispatch would drop the cookie over HTTP.
|
||||
def write_cookie?(*)
|
||||
request.headers['Host'].ends_with?('.onion') || super
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions)
|
Loading…
Reference in new issue