Comments (4)
@arashb31 There is a way! In fact, it's probably the best way to retroactively roll out samesite in general.
SecureHeaders::Configuration.override(:admin_hardening) do |config|
config.cookies = {
samesite: {
strict: { only: ["my_admin_cookie"] },
none: { only: ["saml_csrf_token", "saml_return_to"] },
lax: { except: ["my_admin_cookie", "saml_csrf_token", "saml_return_to"] },
},
}
end
# you'll want to do this as early as possible as you would lose
# any modifications to the config to this point (append/override_content_security_policy_directives)
def some_before_action
if admin?
use_secure_headers_override(request, :admin_hardening)
end
end
What I can't recall is if you'd need to copy over whatever other cookie settings or if you only need to supply the modifications. I suspect you'd need to duplicate the config (or read from config.cookies
)
from secure_headers.
Wow that worked very nicely!
One unexpected side effect was that a lot of other headers were set that I was not expecting.
I'm guessing the gem sets a default hardening. Is there a way to disable all those default hardenings?
Edit: As a quick workaround I simply set all the settings in the config to SecureHeaders::OPT_OUT
One other thing I did notice is that if a cookie's value does not change during a single request lifecycle, then changing its SameSite value like above does not work.
I believe this is due to the fact that Rails only creates a 'Set-Cookie' header if the value has changed from the value initially sent by the user.
I believe this gem uses Rack Middleware to modify the cookies security settings. Since Rails does not know about the middleware, it doesn't realize the SameSite value wants to be changed, so if the cookie's actually value does not change, Rails doesn't generate the header again.
Would you know any way to force Rails to create the 'Set-Cookie' header, so that the Rack Middleware can then modify it's SameSite value?
Thanks for your help!
from secure_headers.
There was an example of someone doing this recently: #450
There isn't a single-line config option but you can turn off the safe defaults using that strategy.
from secure_headers.
Thanks so much. Appreciate the help, and an excellent gem!
from secure_headers.
Related Issues (20)
- Guide for transitioning from secure_headers to vanilla rails csp HOT 3
- Incorrect Version as latest release HOT 1
- nonced tag helpers including nonce directive in csp has potential to break applications HOT 17
- Add support for CSP level 3 HOT 3
- Why is CSP in report only mode blocking requests? HOT 3
- Add require-trusted-types-for to CSP HOT 3
- Support CSP "double policies"
- Major Version 7.0.0 HOT 1
- Set `default-src` CSP Attribute to `none` by default HOT 1
- URI::InvalidURIError: Invalid data URI HOT 1
- Installation instructions unclear HOT 1
- jekyll integration HOT 3
- How can I disable 'unsafe-inline' from script-src? HOT 1
- test issue
- test issue
- `content_security_policy_nonce` calls Rails method so CSP does not contain nonce
- CSP Report-uri deprecated, replaced by report-to
- RubyGems doesn't have latest version of this gem HOT 1
- SecureHeaders middleware erases all cookies in Rack 3 due to \n joining HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secure_headers.