From 6e418bf3465d2df6b47e9b43d3b960504b81e8fb Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 8 Apr 2022 12:47:18 +0200 Subject: [PATCH] Fix cookies secure flag being set when served over Tor (#17992) --- config/application.rb | 1 - config/initializers/devise.rb | 4 +--- config/initializers/session_store.rb | 2 +- lib/action_dispatch/cookie_jar_extensions.rb | 25 -------------------- 4 files changed, 2 insertions(+), 30 deletions(-) delete mode 100644 lib/action_dispatch/cookie_jar_extensions.rb diff --git a/config/application.rb b/config/application.rb index bed935ce3..a1ba71f61 100644 --- a/config/application.rb +++ b/config/application.rb @@ -40,7 +40,6 @@ require_relative '../lib/devise/two_factor_pam_authenticatable' require_relative '../lib/chewy/strategy/custom_sidekiq' require_relative '../lib/webpacker/manifest_extensions' require_relative '../lib/webpacker/helper_extensions' -require_relative '../lib/action_dispatch/cookie_jar_extensions' require_relative '../lib/rails/engine_extensions' require_relative '../lib/active_record/database_tasks_extensions' require_relative '../lib/active_record/batches' diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index b434c68fa..c55bea7a7 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -8,7 +8,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -23,7 +22,6 @@ Warden::Manager.after_fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -265,7 +263,7 @@ Devise.setup do |config| # Options to be passed to the created cookie. For instance, you can set # secure: true in order to force SSL only cookies. - config.rememberable_options = { secure: true } + config.rememberable_options = {} # ==> Configuration for :validatable # Range for password length. diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 3d9bf96fd..210964b1f 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,5 +2,5 @@ Rails.application.config.session_store :cookie_store, key: '_mastodon_session', - secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), + secure: false, # All cookies have their secure flag set by the force_ssl option in production same_site: :lax diff --git a/lib/action_dispatch/cookie_jar_extensions.rb b/lib/action_dispatch/cookie_jar_extensions.rb deleted file mode 100644 index 1be9053ba..000000000 --- a/lib/action_dispatch/cookie_jar_extensions.rb +++ /dev/null @@ -1,25 +0,0 @@ -# frozen_string_literal: true - -module ActionDispatch - module CookieJarExtensions - private - - # Monkey-patch ActionDispatch to serve secure cookies to Tor Hidden Service - # users. Otherwise, ActionDispatch would drop the cookie over HTTP. - def write_cookie?(*) - request.host.end_with?('.onion') || super - end - end -end - -ActionDispatch::Cookies::CookieJar.prepend(ActionDispatch::CookieJarExtensions) - -module Rack - module SessionPersistedExtensions - def security_matches?(request, options) - request.host.end_with?('.onion') || super - end - end -end - -Rack::Session::Abstract::Persisted.prepend(Rack::SessionPersistedExtensions)