From f91dd6afc21fdf17cd9c3fa71784540d3f245ddf Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 19 Feb 2021 18:18:13 +0000
Subject: [PATCH] Tighten up cookie security

Mark all cookies as Secure, and the cookies which are not
modified client side as HttpOnly.
---
 app/assets/javascripts/index.js            | 6 +++---
 app/assets/javascripts/index/directions.js | 2 +-
 config/initializers/secure_headers.rb      | 7 -------
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/app/assets/javascripts/index.js b/app/assets/javascripts/index.js
index 10f28ef92..a2169643f 100644
--- a/app/assets/javascripts/index.js
+++ b/app/assets/javascripts/index.js
@@ -189,7 +189,7 @@ $(document).ready(function () {
       map._object);
 
     $.removeCookie("_osm_location");
-    $.cookie("_osm_location", OSM.locationCookie(map), { expires: expiry, path: "/" });
+    $.cookie("_osm_location", OSM.locationCookie(map), { secure: true, expires: expiry, path: "/" });
   });
 
   if ($.cookie("_osm_welcome") !== "hide") {
@@ -198,7 +198,7 @@ $(document).ready(function () {
 
   $(".welcome .close").on("click", function () {
     $(".welcome").removeClass("visible");
-    $.cookie("_osm_welcome", "hide", { expires: expiry, path: "/" });
+    $.cookie("_osm_welcome", "hide", { secure: true, expires: expiry, path: "/" });
   });
 
   var bannerExpiry = new Date();
@@ -209,7 +209,7 @@ $(document).ready(function () {
     $("#banner").hide();
     e.preventDefault();
     if (cookieId) {
-      $.cookie(cookieId, "hide", { expires: bannerExpiry, path: "/" });
+      $.cookie(cookieId, "hide", { secure: true, expires: bannerExpiry, path: "/" });
     }
   });
 
diff --git a/app/assets/javascripts/index/directions.js b/app/assets/javascripts/index/directions.js
index ee44ad4c4..a58b0af16 100644
--- a/app/assets/javascripts/index/directions.js
+++ b/app/assets/javascripts/index/directions.js
@@ -334,7 +334,7 @@ OSM.Directions = function (map) {
 
   select.on("change", function (e) {
     chosenEngine = engines[e.target.selectedIndex];
-    $.cookie("_osm_directions_engine", chosenEngine.id, { expires: expiry, path: "/" });
+    $.cookie("_osm_directions_engine", chosenEngine.id, { secure: true, expires: expiry, path: "/" });
     getRoute(true, true);
   });
 
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index daf66bfc7..c97762a37 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -26,11 +26,6 @@ csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url)
 
 csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url)
 
-cookie_policy = {
-  :secure => SecureHeaders::OPT_OUT,
-  :httponly => SecureHeaders::OPT_OUT
-}
-
 SecureHeaders::Configuration.default do |config|
   config.hsts = SecureHeaders::OPT_OUT
 
@@ -44,6 +39,4 @@ SecureHeaders::Configuration.default do |config|
     config.csp = SecureHeaders::OPT_OUT
     config.csp_report_only = SecureHeaders::OPT_OUT
   end
-
-  config.cookies = cookie_policy
 end
-- 
2.39.5