]> git.openstreetmap.org Git - rails.git/commitdiff
projects / rails.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 56a2aa8)
Tighten up cookie security
authorTom Hughes <tom@compton.nu>
Fri, 19 Feb 2021 18:18:13 +0000 (18:18 +0000)
committerTom Hughes <tom@compton.nu>
Fri, 19 Feb 2021 18:18:13 +0000 (18:18 +0000)
Mark all cookies as Secure, and the cookies which are not
modified client side as HttpOnly.

app/assets/javascripts/index.js patch | blob | history
app/assets/javascripts/index/directions.js patch | blob | history
config/initializers/secure_headers.rb patch | blob | history

diff --git a/app/assets/javascripts/index.js b/app/assets/javascripts/index.js
index 10f28ef9232b3c903aecd08d00fb725f9b6ad6b9..a2169643f37b8e99b3264fb895fab59f2903951f 100644 (file)
--- a/app/assets/javascripts/index.js
+++ b/app/assets/javascripts/index.js
@@ -189,7 +189,7 @@ $(document).ready(function () {
       map._object);
 
     $.removeCookie("_osm_location");
-    $.cookie("_osm_location", OSM.locationCookie(map), { expires: expiry, path: "/" });
+    $.cookie("_osm_location", OSM.locationCookie(map), { secure: true, expires: expiry, path: "/" });
   });
 
   if ($.cookie("_osm_welcome") !== "hide") {
@@ -198,7 +198,7 @@ $(document).ready(function () {
 
   $(".welcome .close").on("click", function () {
     $(".welcome").removeClass("visible");
-    $.cookie("_osm_welcome", "hide", { expires: expiry, path: "/" });
+    $.cookie("_osm_welcome", "hide", { secure: true, expires: expiry, path: "/" });
   });
 
   var bannerExpiry = new Date();
@@ -209,7 +209,7 @@ $(document).ready(function () {
     $("#banner").hide();
     e.preventDefault();
     if (cookieId) {
-      $.cookie(cookieId, "hide", { expires: bannerExpiry, path: "/" });
+      $.cookie(cookieId, "hide", { secure: true, expires: bannerExpiry, path: "/" });
     }
   });
 
diff --git a/app/assets/javascripts/index/directions.js b/app/assets/javascripts/index/directions.js
index ee44ad4c4be11be9db4ae5a9f684f0a11232b730..a58b0af16abc956471170020435ab0c916a8c508 100644 (file)
--- a/app/assets/javascripts/index/directions.js
+++ b/app/assets/javascripts/index/directions.js
@@ -334,7 +334,7 @@ OSM.Directions = function (map) {
 
   select.on("change", function (e) {
     chosenEngine = engines[e.target.selectedIndex];
-    $.cookie("_osm_directions_engine", chosenEngine.id, { expires: expiry, path: "/" });
+    $.cookie("_osm_directions_engine", chosenEngine.id, { secure: true, expires: expiry, path: "/" });
     getRoute(true, true);
   });
 
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index daf66bfc75eba53a48db397dbd656c9084256bcd..c97762a37233f760c502053f287aa99c083bf679 100644 (file)
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -26,11 +26,6 @@ csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url)
 
 csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url)
 
-cookie_policy = {
-  :secure => SecureHeaders::OPT_OUT,
-  :httponly => SecureHeaders::OPT_OUT
-}
-
 SecureHeaders::Configuration.default do |config|
   config.hsts = SecureHeaders::OPT_OUT
 
@@ -44,6 +39,4 @@ SecureHeaders::Configuration.default do |config|
     config.csp = SecureHeaders::OPT_OUT
     config.csp_report_only = SecureHeaders::OPT_OUT
   end
-
-  config.cookies = cookie_policy
 end
The OpenStreetMap web site