Age | Commit message (Collapse) | Author |
|
|
|
* Fix issues with POSIX::Spawn, Terrapin and Ruby 3.0
Also improve the Terrapin monkey-patch for the stderr/stdout issue.
* Fix keyword argument handling throughout the codebase
* Monkey-patch Paperclip to fix keyword arguments handling in validators
* Change validation_extensions to please CodeClimate
* Bump microformats from 4.2.1 to 4.3.1
* Allow Ruby 3.0
* Add Ruby 3.0 test target to CircleCI
* Add test for admin dashboard warnings
* Fix admin dashboard warnings on Ruby 3.0
|
|
* Drop dependency on secure_headers, use always_write_cookie instead
* Fix cookies in Tor Hidden Services by moving configuration to application.rb
* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
|
|
* Enable secure cookie flag for https only
* Disable force_ssl for .onion hosts only
Co-authored-by: Aiden McClelland <me@drbonez.dev>
|
|
|
|
(#9819)
|
|
CSFR-prevention is already implemented but adding this doesn't hurt.
A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
|
|
|
|
add permissive CORS to API controllers
|
|
|