From 1096b3b8e2d986bc522c46d8d50b723dfd4dfff8 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 23 Jun 2021 15:08:45 +0100 Subject: [PATCH] Don't mark banner cookies as HttpOnly Fixes #3231 --- config/initializers/secure_headers.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index d3b5a568d..f09759fa6 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -26,6 +26,10 @@ csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url) csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url) +cookie_policy = { + :httponly => { :only => ["_osm_session"] } +} + SecureHeaders::Configuration.default do |config| config.hsts = SecureHeaders::OPT_OUT config.referrer_policy = "strict-origin-when-cross-origin" @@ -40,4 +44,6 @@ SecureHeaders::Configuration.default do |config| config.csp = SecureHeaders::OPT_OUT config.csp_report_only = SecureHeaders::OPT_OUT end + + config.cookies = cookie_policy end -- 2.39.5