Coder Social home page Coder Social logo

Comments (4)

oreoshake avatar oreoshake commented on July 20, 2024

@arashb31 There is a way! In fact, it's probably the best way to retroactively roll out samesite in general.

SecureHeaders::Configuration.override(:admin_hardening) do |config|
  config.cookies = {
    samesite: {
      strict: { only: ["my_admin_cookie"] },
      none: { only: ["saml_csrf_token", "saml_return_to"] },
      lax: { except: ["my_admin_cookie", "saml_csrf_token", "saml_return_to"] },
    },
  }
end
# you'll want to do this as early as possible as you would lose 
# any modifications to the config to this point (append/override_content_security_policy_directives)
def some_before_action
  if admin?
    use_secure_headers_override(request, :admin_hardening)
  end
end

What I can't recall is if you'd need to copy over whatever other cookie settings or if you only need to supply the modifications. I suspect you'd need to duplicate the config (or read from config.cookies)

from secure_headers.

arashb31 avatar arashb31 commented on July 20, 2024

Wow that worked very nicely!
One unexpected side effect was that a lot of other headers were set that I was not expecting.
I'm guessing the gem sets a default hardening. Is there a way to disable all those default hardenings?

Edit: As a quick workaround I simply set all the settings in the config to SecureHeaders::OPT_OUT

One other thing I did notice is that if a cookie's value does not change during a single request lifecycle, then changing its SameSite value like above does not work.

I believe this is due to the fact that Rails only creates a 'Set-Cookie' header if the value has changed from the value initially sent by the user.

I believe this gem uses Rack Middleware to modify the cookies security settings. Since Rails does not know about the middleware, it doesn't realize the SameSite value wants to be changed, so if the cookie's actually value does not change, Rails doesn't generate the header again.

Would you know any way to force Rails to create the 'Set-Cookie' header, so that the Rack Middleware can then modify it's SameSite value?

Thanks for your help!

from secure_headers.

oreoshake avatar oreoshake commented on July 20, 2024

There was an example of someone doing this recently: #450

There isn't a single-line config option but you can turn off the safe defaults using that strategy.

from secure_headers.

arashb31 avatar arashb31 commented on July 20, 2024

Thanks so much. Appreciate the help, and an excellent gem!

from secure_headers.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.