Drop dependency on secure_headers, fix response headers (#15712)

* Drop dependency on secure_headers, use always_write_cookie instead

* Fix cookies in Tor Hidden Services by moving configuration to application.rb

* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
This commit is contained in:
Claire 2021-02-11 23:47:05 +01:00 committed by GitHub
parent eb23f98592
commit 21fb3f3684
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 24 additions and 16 deletions

View file

@ -161,5 +161,3 @@ gem 'connection_pool', require: false
gem 'xorcist', '~> 1.1' gem 'xorcist', '~> 1.1'
gem 'pluck_each', '~> 0.1.3' gem 'pluck_each', '~> 0.1.3'
gem 'secure_headers', '~> 3.5'

View file

@ -571,8 +571,6 @@ GEM
scenic (1.5.4) scenic (1.5.4)
activerecord (>= 4.0.0) activerecord (>= 4.0.0)
railties (>= 4.0.0) railties (>= 4.0.0)
secure_headers (3.9.0)
useragent
securecompare (1.0.0) securecompare (1.0.0)
semantic_range (2.3.0) semantic_range (2.3.0)
sidekiq (6.1.3) sidekiq (6.1.3)
@ -654,7 +652,6 @@ GEM
unf_ext (0.0.7.7) unf_ext (0.0.7.7)
unicode-display_width (1.7.0) unicode-display_width (1.7.0)
uniform_notifier (1.13.2) uniform_notifier (1.13.2)
useragent (0.16.10)
warden (1.2.9) warden (1.2.9)
rack (>= 2.0.9) rack (>= 2.0.9)
webauthn (3.0.0.alpha1) webauthn (3.0.0.alpha1)
@ -798,7 +795,6 @@ DEPENDENCIES
ruby-progressbar (~> 1.11) ruby-progressbar (~> 1.11)
sanitize (~> 5.2) sanitize (~> 5.2)
scenic (~> 1.5) scenic (~> 1.5)
secure_headers (~> 3.5)
sidekiq (~> 6.1) sidekiq (~> 6.1)
sidekiq-bulk (~> 0.2.0) sidekiq-bulk (~> 0.2.0)
sidekiq-scheduler (~> 3.0) sidekiq-scheduler (~> 3.0)

View file

@ -25,6 +25,7 @@ require_relative '../lib/devise/two_factor_pam_authenticatable'
require_relative '../lib/chewy/strategy/custom_sidekiq' require_relative '../lib/chewy/strategy/custom_sidekiq'
require_relative '../lib/webpacker/manifest_extensions' require_relative '../lib/webpacker/manifest_extensions'
require_relative '../lib/webpacker/helper_extensions' require_relative '../lib/webpacker/helper_extensions'
require_relative '../lib/action_dispatch/cookie_jar_extensions'
require_relative '../lib/rails/engine_extensions' require_relative '../lib/rails/engine_extensions'
Dotenv::Railtie.load Dotenv::Railtie.load

View file

@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
value: session_id, value: session_id,
expires: 1.year.from_now, expires: 1.year.from_now,
httponly: true, httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax, same_site: :lax,
} }
end end
@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden|
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
expires: 1.year.from_now, expires: 1.year.from_now,
httponly: true, httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax, same_site: :lax,
} }
else else
@ -227,6 +229,10 @@ Devise.setup do |config|
# If true, extends the user's remember period when remembered via cookie. # If true, extends the user's remember period when remembered via cookie.
# config.extend_remember_period = false # config.extend_remember_period = false
# Options to be passed to the created cookie. For instance, you can set
# secure: true in order to force SSL only cookies.
config.rememberable_options = { secure: true }
# ==> Configuration for :validatable # ==> Configuration for :validatable
# Range for password length. # Range for password length.
config.password_length = 8..72 config.password_length = 8..72

View file

@ -1 +1,2 @@
Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'

View file

@ -1,10 +0,0 @@
SecureHeaders::Configuration.default do |config|
config.cookies = {
secure: true,
httponly: true,
samesite: {
lax: true
}
}
config.csp = SecureHeaders::OPT_OUT
end

View file

@ -2,5 +2,6 @@
Rails.application.config.session_store :cookie_store, { Rails.application.config.session_store :cookie_store, {
key: '_mastodon_session', key: '_mastodon_session',
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax, same_site: :lax,
} }

View file

@ -0,0 +1,15 @@
# frozen_string_literal: true
module ActionDispatch
module CookieJarExtensions
private
# Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service
# users. Otherwise, ActionDispatch would drop the cookie over HTTP.
def write_cookie?(*)
request.headers['Host'].ends_with?('.onion') || super
end
end
end
ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions)