Onion service related changes to HTTPS handling (#15560)
* Enable secure cookie flag for https only * Disable force_ssl for .onion hosts only Co-authored-by: Aiden McClelland <me@drbonez.dev>gh/stable
parent
d499bb031f
commit
e79f8dd85c
2
Gemfile
2
Gemfile
|
@ -161,3 +161,5 @@ gem 'connection_pool', require: false
|
|||
|
||||
gem 'xorcist', '~> 1.1'
|
||||
gem 'pluck_each', '~> 0.1.3'
|
||||
|
||||
gem 'secure_headers', '~> 3.5'
|
||||
|
|
|
@ -571,6 +571,8 @@ GEM
|
|||
scenic (1.5.4)
|
||||
activerecord (>= 4.0.0)
|
||||
railties (>= 4.0.0)
|
||||
secure_headers (3.9.0)
|
||||
useragent
|
||||
securecompare (1.0.0)
|
||||
semantic_range (2.3.0)
|
||||
sidekiq (6.1.3)
|
||||
|
@ -652,6 +654,7 @@ GEM
|
|||
unf_ext (0.0.7.7)
|
||||
unicode-display_width (1.7.0)
|
||||
uniform_notifier (1.13.2)
|
||||
useragent (0.16.10)
|
||||
warden (1.2.9)
|
||||
rack (>= 2.0.9)
|
||||
webauthn (3.0.0.alpha1)
|
||||
|
@ -795,6 +798,7 @@ DEPENDENCIES
|
|||
ruby-progressbar (~> 1.11)
|
||||
sanitize (~> 5.2)
|
||||
scenic (~> 1.5)
|
||||
secure_headers (~> 3.5)
|
||||
sidekiq (~> 6.1)
|
||||
sidekiq-bulk (~> 0.2.0)
|
||||
sidekiq-scheduler (~> 3.0)
|
||||
|
|
|
@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base
|
|||
private
|
||||
|
||||
def https_enabled?
|
||||
Rails.env.production? && !request.path.start_with?('/health')
|
||||
Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion")
|
||||
end
|
||||
|
||||
def authorized_fetch_mode?
|
||||
|
|
|
@ -88,10 +88,18 @@ class Webfinger
|
|||
end
|
||||
|
||||
def standard_url
|
||||
"https://#{@domain}/.well-known/webfinger?resource=#{@uri}"
|
||||
if @domain.ends_with? ".onion"
|
||||
"http://#{@domain}/.well-known/webfinger?resource=#{@uri}"
|
||||
else
|
||||
"https://#{@domain}/.well-known/webfinger?resource=#{@uri}"
|
||||
end
|
||||
end
|
||||
|
||||
def host_meta_url
|
||||
"https://#{@domain}/.well-known/host-meta"
|
||||
if @domain.ends_with? ".onion"
|
||||
"http://#{@domain}/.well-known/host-meta"
|
||||
else
|
||||
"https://#{@domain}/.well-known/host-meta"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
|
|||
value: session_id,
|
||||
expires: 1.year.from_now,
|
||||
httponly: true,
|
||||
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
|
||||
same_site: :lax,
|
||||
}
|
||||
end
|
||||
|
@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden|
|
|||
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
|
||||
expires: 1.year.from_now,
|
||||
httponly: true,
|
||||
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
|
||||
same_site: :lax,
|
||||
}
|
||||
else
|
||||
|
@ -229,10 +227,6 @@ Devise.setup do |config|
|
|||
# If true, extends the user's remember period when remembered via cookie.
|
||||
# config.extend_remember_period = false
|
||||
|
||||
# Options to be passed to the created cookie. For instance, you can set
|
||||
# secure: true in order to force SSL only cookies.
|
||||
config.rememberable_options = { secure: true }
|
||||
|
||||
# ==> Configuration for :validatable
|
||||
# Range for password length.
|
||||
config.password_length = 8..72
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
|
||||
Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
SecureHeaders::Configuration.default do |config|
|
||||
config.cookies = {
|
||||
secure: true,
|
||||
httponly: true,
|
||||
samesite: {
|
||||
lax: true
|
||||
}
|
||||
}
|
||||
config.csp = SecureHeaders::OPT_OUT
|
||||
end
|
|
@ -2,6 +2,5 @@
|
|||
|
||||
Rails.application.config.session_store :cookie_store, {
|
||||
key: '_mastodon_session',
|
||||
secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
|
||||
same_site: :lax,
|
||||
}
|
||||
|
|
Reference in New Issue