From e79f8dd85cb63125185fdf711f470c298a0b5dbc Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Wed, 10 Feb 2021 22:40:13 -0500 Subject: [PATCH] Onion service related changes to HTTPS handling (#15560) * Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland --- Gemfile | 2 ++ Gemfile.lock | 4 ++++ app/controllers/application_controller.rb | 2 +- app/lib/webfinger.rb | 12 ++++++++++-- config/initializers/devise.rb | 6 ------ config/initializers/makara.rb | 1 - config/initializers/secureheaders.rb | 10 ++++++++++ config/initializers/session_store.rb | 1 - 8 files changed, 27 insertions(+), 11 deletions(-) create mode 100644 config/initializers/secureheaders.rb diff --git a/Gemfile b/Gemfile index 78cb44168a..8d8542f83d 100644 --- a/Gemfile +++ b/Gemfile @@ -161,3 +161,5 @@ gem 'connection_pool', require: false gem 'xorcist', '~> 1.1' gem 'pluck_each', '~> 0.1.3' + +gem 'secure_headers', '~> 3.5' diff --git a/Gemfile.lock b/Gemfile.lock index bd32f72a73..4237d6bba7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -571,6 +571,8 @@ GEM scenic (1.5.4) activerecord (>= 4.0.0) railties (>= 4.0.0) + secure_headers (3.9.0) + useragent securecompare (1.0.0) semantic_range (2.3.0) sidekiq (6.1.3) @@ -652,6 +654,7 @@ GEM unf_ext (0.0.7.7) unicode-display_width (1.7.0) uniform_notifier (1.13.2) + useragent (0.16.10) warden (1.2.9) rack (>= 2.0.9) webauthn (3.0.0.alpha1) @@ -795,6 +798,7 @@ DEPENDENCIES ruby-progressbar (~> 1.11) sanitize (~> 5.2) scenic (~> 1.5) + secure_headers (~> 3.5) sidekiq (~> 6.1) sidekiq-bulk (~> 0.2.0) sidekiq-scheduler (~> 3.0) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 44616d6e5e..c9311c1b6c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') + Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion") end def authorized_fetch_mode? diff --git a/app/lib/webfinger.rb b/app/lib/webfinger.rb index 7023659395..40795a7aa9 100644 --- a/app/lib/webfinger.rb +++ b/app/lib/webfinger.rb @@ -88,10 +88,18 @@ class Webfinger end def standard_url - "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/webfinger?resource=#{@uri}" + else + "https://#{@domain}/.well-known/webfinger?resource=#{@uri}" + end end def host_meta_url - "https://#{@domain}/.well-known/host-meta" + if @domain.ends_with? ".onion" + "http://#{@domain}/.well-known/host-meta" + else + "https://#{@domain}/.well-known/host-meta" + end end end diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index ef612e177d..d3757b0d34 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -229,10 +227,6 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false - # Options to be passed to the created cookie. For instance, you can set - # secure: true in order to force SSL only cookies. - config.rememberable_options = { secure: true } - # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index dc88fa63cd..afd29eda8d 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1,2 +1 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax -Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb new file mode 100644 index 0000000000..6c8ac7fbe5 --- /dev/null +++ b/config/initializers/secureheaders.rb @@ -0,0 +1,10 @@ +SecureHeaders::Configuration.default do |config| + config.cookies = { + secure: true, + httponly: true, + samesite: { + lax: true + } + } + config.csp = SecureHeaders::OPT_OUT +end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index e5d1be4c6c..7e3471ac4c 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,6 +2,5 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, }