Browse Source

feat(cookies): Use the same-site attribute to lax

NOTE: upstream reverted this because it was causing issues with SSO. I
don't need that, so it's not problem.

See: https://github.com/tootsuite/mastodon/issues/9812

CSFR-prevention is already implemented but adding this doesn't hurt.

A brief introduction to Same-Site cookies (and the difference between strict and
lax) can be found at
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

TLDR: We use lax since we want the cookies to be sent when the user navigates
safely from an external site.
tags/v3.0.0-adneyland
Sorin Davidoi 1 year ago
parent
commit
847ef9cc53
3 changed files with 4 additions and 1 deletions
  1. 2
    0
      config/initializers/devise.rb
  2. 1
    1
      config/initializers/session_store.rb
  3. 1
    0
      spec/rails_helper.rb

+ 2
- 0
config/initializers/devise.rb View File

@@ -10,6 +10,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
expires: 1.year.from_now,
httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax,
}
end

@@ -20,6 +21,7 @@ Warden::Manager.after_fetch do |user, warden|
expires: 1.year.from_now,
httponly: true,
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
same_site: :lax,
}
else
warden.logout

+ 1
- 1
config/initializers/session_store.rb View File

@@ -1,3 +1,3 @@
# Be sure to restart your server when you modify this file.

Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true')
Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax

+ 1
- 0
spec/rails_helper.rb View File

@@ -29,6 +29,7 @@ Devise::Test::ControllerHelpers.module_eval do
value: resource.activate_session(warden.request),
expires: 1.year.from_now,
httponly: true,
same_site: :lax,
}
end
end

Loading…
Cancel
Save