diff options
| author | Cecylia Bocovich <cohosh@torproject.org> | 2021-02-10 22:40:13 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-11 04:40:13 +0100 |
| commit | e79f8dd85cb63125185fdf711f470c298a0b5dbc (patch) | |
| tree | c27f1d0e2cd45262934fd5729e9ae3cd824747b3 /config/initializers | |
| parent | d499bb031f0d20a5f27facfd57cf4e00f89003d7 (diff) | |
Onion service related changes to HTTPS handling (#15560)
* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>
Diffstat (limited to 'config/initializers')
| -rw-r--r-- | config/initializers/devise.rb | 6 | ||||
| -rw-r--r-- | config/initializers/makara.rb | 1 | ||||
| -rw-r--r-- | config/initializers/secureheaders.rb | 10 | ||||
| -rw-r--r-- | config/initializers/session_store.rb | 1 |
4 files changed, 10 insertions, 8 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index ef612e177..d3757b0d3 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -229,10 +227,6 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false - # Options to be passed to the created cookie. For instance, you can set - # secure: true in order to force SSL only cookies. - config.rememberable_options = { secure: true } - # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index dc88fa63c..afd29eda8 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1,2 +1 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax -Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb new file mode 100644 index 000000000..6c8ac7fbe --- /dev/null +++ b/config/initializers/secureheaders.rb @@ -0,0 +1,10 @@ +SecureHeaders::Configuration.default do |config| + config.cookies = { + secure: true, + httponly: true, + samesite: { + lax: true + } + } + config.csp = SecureHeaders::OPT_OUT +end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index e5d1be4c6..7e3471ac4 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,6 +2,5 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } |