Onion service related changes to HTTPS handling (#15560)

* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>
author: Cecylia Bocovich <cohosh@torproject.org> 2021-02-10 22:40:13 -0500
committer: GitHub <noreply@github.com> 2021-02-11 04:40:13 +0100
commit: e79f8dd85cb63125185fdf711f470c298a0b5dbc (patch)
tree: c27f1d0e2cd45262934fd5729e9ae3cd824747b3 /config
parent: d499bb031f0d20a5f27facfd57cf4e00f89003d7 (diff)
4 files changed, 10 insertions, 8 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index ef612e177..d3757b0d3 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     value: session_id,
     expires: 1.year.from_now,
     httponly: true,
-    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
     same_site: :lax,
   }
 end
@@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden|
       value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
       expires: 1.year.from_now,
       httponly: true,
-      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
       same_site: :lax,
     }
   else
@@ -229,10 +227,6 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
-  # Options to be passed to the created cookie. For instance, you can set
-  # secure: true in order to force SSL only cookies.
-  config.rememberable_options = { secure: true }
-
   # ==> Configuration for :validatable
   # Range for password length.
   config.password_length = 8..72
diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb
index dc88fa63c..afd29eda8 100644
--- a/config/initializers/makara.rb
+++ b/config/initializers/makara.rb
@@ -1,2 +1 @@
 Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
-Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb
new file mode 100644
index 000000000..6c8ac7fbe
--- /dev/null
+++ b/config/initializers/secureheaders.rb
@@ -0,0 +1,10 @@
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: true,
+    httponly: true,
+    samesite: {
+      lax: true
+    }
+  }
+  config.csp = SecureHeaders::OPT_OUT
+end
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index e5d1be4c6..7e3471ac4 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,6 +2,5 @@
 
 Rails.application.config.session_store :cookie_store, {
   key: '_mastodon_session',
-  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
   same_site: :lax,
 }
author	Cecylia Bocovich <cohosh@torproject.org>	2021-02-10 22:40:13 -0500
committer	GitHub <noreply@github.com>	2021-02-11 04:40:13 +0100
commit	e79f8dd85cb63125185fdf711f470c298a0b5dbc (patch)
tree	c27f1d0e2cd45262934fd5729e9ae3cd824747b3 /config
parent	d499bb031f0d20a5f27facfd57cf4e00f89003d7 (diff)