cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Don't mark banner cookies as HttpOnly

Browse source 
Fixes #3231
This commit is contained in:
Tom Hughes 2021-06-23 15:08:45 +01:00
parent f6818bb2ed
commit 1096b3b8e2
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
config/initializers/secure_headers.rb
View file

@ -26,6 +26,10 @@ csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url)
csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url)
cookie_policy = {
:httponly => { :only => ["_osm_session"] }
}
SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT
config.referrer_policy = "strict-origin-when-cross-origin"
@ -40,4 +44,6 @@ SecureHeaders::Configuration.default do |config|
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = SecureHeaders::OPT_OUT
end
config.cookies = cookie_policy
end