Drop dependency on secure_headers, fix response headers (#15712)

* Drop dependency on secure_headers, use always_write_cookie instead * Fix cookies in Tor Hidden Services by moving configuration to application.rb * Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
2021-02-11 23:47:05 +01:00 · 2021-02-11 23:47:05 +01:00 · 21fb3f3684
commit 21fb3f3684
parent eb23f98592
8 changed files with 24 additions and 16 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -25,6 +25,7 @@ require_relative '../lib/devise/two_factor_pam_authenticatable'
 require_relative '../lib/chewy/strategy/custom_sidekiq'
 require_relative '../lib/webpacker/manifest_extensions'
 require_relative '../lib/webpacker/helper_extensions'
+require_relative '../lib/action_dispatch/cookie_jar_extensions'
 require_relative '../lib/rails/engine_extensions'

 Dotenv::Railtie.load
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
    value: session_id,
    expires: 1.year.from_now,
    httponly: true,
+    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
    same_site: :lax,
  }
 end
@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden|
      value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
      expires: 1.year.from_now,
      httponly: true,
+      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
      same_site: :lax,
    }
  else
@ -227,6 +229,10 @@ Devise.setup do |config|
  # If true, extends the user's remember period when remembered via cookie.
  # config.extend_remember_period = false

+  # Options to be passed to the created cookie. For instance, you can set
+  # secure: true in order to force SSL only cookies.
+  config.rememberable_options = { secure: true }
+
  # ==> Configuration for :validatable
  # Range for password length.
  config.password_length = 8..72
--- a/config/initializers/makara.rb
+++ b/config/initializers/makara.rb
@ -1 +1,2 @@
 Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
+Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
--- a/config/initializers/secureheaders.rb
+++ b/config/initializers/secureheaders.rb
@ -1,10 +0,0 @@
-SecureHeaders::Configuration.default do |config|
-  config.cookies = {
-    secure: true,
-    httponly: true,
-    samesite: {
-      lax: true
-    }
-  }
-  config.csp = SecureHeaders::OPT_OUT
-end
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -2,5 +2,6 @@

 Rails.application.config.session_store :cookie_store, {
  key: '_mastodon_session',
+  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
  same_site: :lax,
 }