From 21fb3f3684782628319a0d6339dd9fd446c2b673 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Thu, 11 Feb 2021 23:47:05 +0100
Subject: Drop dependency on secure_headers, fix response headers (#15712)

* Drop dependency on secure_headers, use always_write_cookie instead

* Fix cookies in Tor Hidden Services by moving configuration to application.rb

* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
---
 lib/action_dispatch/cookie_jar_extensions.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 lib/action_dispatch/cookie_jar_extensions.rb

(limited to 'lib')

diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb
new file mode 100644
index 000000000..44c39c1f8
--- /dev/null
+++ b/lib/action_dispatch/cookie_jar_extensions.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module CookieJarExtensions
+    private
+
+    # Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service
+    # users. Otherwise, ActionDispatch would drop the cookie over HTTP.
+    def write_cookie?(*)
+      request.headers['Host'].ends_with?('.onion') || super
+    end
+  end
+end
+
+ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions)
-- 
cgit