Drop dependency on secure_headers, fix response headers (#15712)
* Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatchpull/15685/head
parent
eb23f98592
commit
21fb3f3684
2
Gemfile
2
Gemfile
|
@ -161,5 +161,3 @@ gem 'connection_pool', require: false
|
||||||
|
|
||||||
gem 'xorcist', '~> 1.1'
|
gem 'xorcist', '~> 1.1'
|
||||||
gem 'pluck_each', '~> 0.1.3'
|
gem 'pluck_each', '~> 0.1.3'
|
||||||
|
|
||||||
gem 'secure_headers', '~> 3.5'
|
|
||||||
|
|
|
@ -571,8 +571,6 @@ GEM
|
||||||
scenic (1.5.4)
|
scenic (1.5.4)
|
||||||
activerecord (>= 4.0.0)
|
activerecord (>= 4.0.0)
|
||||||
railties (>= 4.0.0)
|
railties (>= 4.0.0)
|
||||||
secure_headers (3.9.0)
|
|
||||||
useragent
|
|
||||||
securecompare (1.0.0)
|
securecompare (1.0.0)
|
||||||
semantic_range (2.3.0)
|
semantic_range (2.3.0)
|
||||||
sidekiq (6.1.3)
|
sidekiq (6.1.3)
|
||||||
|
@ -654,7 +652,6 @@ GEM
|
||||||
unf_ext (0.0.7.7)
|
unf_ext (0.0.7.7)
|
||||||
unicode-display_width (1.7.0)
|
unicode-display_width (1.7.0)
|
||||||
uniform_notifier (1.13.2)
|
uniform_notifier (1.13.2)
|
||||||
useragent (0.16.10)
|
|
||||||
warden (1.2.9)
|
warden (1.2.9)
|
||||||
rack (>= 2.0.9)
|
rack (>= 2.0.9)
|
||||||
webauthn (3.0.0.alpha1)
|
webauthn (3.0.0.alpha1)
|
||||||
|
@ -798,7 +795,6 @@ DEPENDENCIES
|
||||||
ruby-progressbar (~> 1.11)
|
ruby-progressbar (~> 1.11)
|
||||||
sanitize (~> 5.2)
|
sanitize (~> 5.2)
|
||||||
scenic (~> 1.5)
|
scenic (~> 1.5)
|
||||||
secure_headers (~> 3.5)
|
|
||||||
sidekiq (~> 6.1)
|
sidekiq (~> 6.1)
|
||||||
sidekiq-bulk (~> 0.2.0)
|
sidekiq-bulk (~> 0.2.0)
|
||||||
sidekiq-scheduler (~> 3.0)
|
sidekiq-scheduler (~> 3.0)
|
||||||
|
|
|
@ -25,6 +25,7 @@ require_relative '../lib/devise/two_factor_pam_authenticatable'
|
||||||
require_relative '../lib/chewy/strategy/custom_sidekiq'
|
require_relative '../lib/chewy/strategy/custom_sidekiq'
|
||||||
require_relative '../lib/webpacker/manifest_extensions'
|
require_relative '../lib/webpacker/manifest_extensions'
|
||||||
require_relative '../lib/webpacker/helper_extensions'
|
require_relative '../lib/webpacker/helper_extensions'
|
||||||
|
require_relative '../lib/action_dispatch/cookie_jar_extensions'
|
||||||
require_relative '../lib/rails/engine_extensions'
|
require_relative '../lib/rails/engine_extensions'
|
||||||
|
|
||||||
Dotenv::Railtie.load
|
Dotenv::Railtie.load
|
||||||
|
|
|
@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
|
||||||
value: session_id,
|
value: session_id,
|
||||||
expires: 1.year.from_now,
|
expires: 1.year.from_now,
|
||||||
httponly: true,
|
httponly: true,
|
||||||
|
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
|
||||||
same_site: :lax,
|
same_site: :lax,
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden|
|
||||||
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
|
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
|
||||||
expires: 1.year.from_now,
|
expires: 1.year.from_now,
|
||||||
httponly: true,
|
httponly: true,
|
||||||
|
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
|
||||||
same_site: :lax,
|
same_site: :lax,
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
@ -227,6 +229,10 @@ Devise.setup do |config|
|
||||||
# If true, extends the user's remember period when remembered via cookie.
|
# If true, extends the user's remember period when remembered via cookie.
|
||||||
# config.extend_remember_period = false
|
# config.extend_remember_period = false
|
||||||
|
|
||||||
|
# Options to be passed to the created cookie. For instance, you can set
|
||||||
|
# secure: true in order to force SSL only cookies.
|
||||||
|
config.rememberable_options = { secure: true }
|
||||||
|
|
||||||
# ==> Configuration for :validatable
|
# ==> Configuration for :validatable
|
||||||
# Range for password length.
|
# Range for password length.
|
||||||
config.password_length = 8..72
|
config.password_length = 8..72
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
|
Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
|
||||||
|
Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
SecureHeaders::Configuration.default do |config|
|
|
||||||
config.cookies = {
|
|
||||||
secure: true,
|
|
||||||
httponly: true,
|
|
||||||
samesite: {
|
|
||||||
lax: true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
config.csp = SecureHeaders::OPT_OUT
|
|
||||||
end
|
|
|
@ -2,5 +2,6 @@
|
||||||
|
|
||||||
Rails.application.config.session_store :cookie_store, {
|
Rails.application.config.session_store :cookie_store, {
|
||||||
key: '_mastodon_session',
|
key: '_mastodon_session',
|
||||||
|
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
|
||||||
same_site: :lax,
|
same_site: :lax,
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module ActionDispatch
|
||||||
|
module CookieJarExtensions
|
||||||
|
private
|
||||||
|
|
||||||
|
# Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service
|
||||||
|
# users. Otherwise, ActionDispatch would drop the cookie over HTTP.
|
||||||
|
def write_cookie?(*)
|
||||||
|
request.headers['Host'].ends_with?('.onion') || super
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions)
|
Loading…
Reference in New Issue