Fix cookies not having a SameSite attribute (#15098)

acc1c038 · Eugen Rochko · GitHub · 9b1f2a4b · acc1c038 · acc1c038
Unverified Commit acc1c038 authored 4 years ago by Eugen Rochko Committed by GitHub 4 years ago
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -10,6 +10,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
    expires: 1.year.from_now,
    httponly: true,
    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+    same_site: :lax,
  }
 end

@@ -20,6 +21,7 @@ Warden::Manager.after_fetch do |user, warden|
      expires: 1.year.from_now,
      httponly: true,
      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+      same_site: :lax,
    }
  else
    warden.logout

--- a/config/initializers/makara.rb
+++ b/config/initializers/makara.rb
+Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
+Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
 # Be sure to restart your server when you modify this file.

-Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true')
+Rails.application.config.session_store :cookie_store, {
+  key: '_mastodon_session',
+  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+  same_site: :lax,
+}