about summary refs log tree commit diff
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2020-11-06 11:57:14 +0100
committerGitHub <noreply@github.com>2020-11-06 11:57:14 +0100
commitacc1c038610a82d8470acde6753716da0dc4b1fa (patch)
tree18aa4e0c94907f653e07ca8c1e373a8882cced9c
parent9b1f2a4b61660f9a8be62f6296d97a856e376059 (diff)
Fix cookies not having a SameSite attribute (#15098)
-rw-r--r--config/initializers/devise.rb2
-rw-r--r--config/initializers/makara.rb2
-rw-r--r--config/initializers/session_store.rb6
3 files changed, 9 insertions, 1 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 59e69ad37..ef612e177 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -10,6 +10,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     expires: 1.year.from_now,
     httponly: true,
     secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+    same_site: :lax,
   }
 end
 
@@ -20,6 +21,7 @@ Warden::Manager.after_fetch do |user, warden|
       expires: 1.year.from_now,
       httponly: true,
       secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+      same_site: :lax,
     }
   else
     warden.logout
diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb
new file mode 100644
index 000000000..dc88fa63c
--- /dev/null
+++ b/config/initializers/makara.rb
@@ -0,0 +1,2 @@
+Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
+Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 3dc0edd6f..e5d1be4c6 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,7 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true')
+Rails.application.config.session_store :cookie_store, {
+  key: '_mastodon_session',
+  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+  same_site: :lax,
+}