cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Tighten up cookie security

Browse source 
Mark all cookies as Secure, and the cookies which are not
modified client side as HttpOnly.
This commit is contained in:
Tom Hughes 2021-02-19 18:18:13 +00:00
parent 56a2aa8efa
commit f91dd6afc2
3 changed files with 4 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/assets/javascripts/index.js
View file

@ -189,7 +189,7 @@ $(document).ready(function () {
map._object);
$.removeCookie("_osm_location");
$.cookie("_osm_location", OSM.locationCookie(map), { expires: expiry, path: "/" });
$.cookie("_osm_location", OSM.locationCookie(map), { secure: true, expires: expiry, path: "/" });
});
if ($.cookie("_osm_welcome") !== "hide") {
@ -198,7 +198,7 @@ $(document).ready(function () {
$(".welcome .close").on("click", function () {
$(".welcome").removeClass("visible");
$.cookie("_osm_welcome", "hide", { expires: expiry, path: "/" });
$.cookie("_osm_welcome", "hide", { secure: true, expires: expiry, path: "/" });
});
var bannerExpiry = new Date();
@ -209,7 +209,7 @@ $(document).ready(function () {
$("#banner").hide();
e.preventDefault();
if (cookieId) {
$.cookie(cookieId, "hide", { expires: bannerExpiry, path: "/" });
$.cookie(cookieId, "hide", { secure: true, expires: bannerExpiry, path: "/" });
}
});

2
app/assets/javascripts/index/directions.js
View file

@ -334,7 +334,7 @@ OSM.Directions = function (map) {
select.on("change", function (e) {
chosenEngine = engines[e.target.selectedIndex];
$.cookie("_osm_directions_engine", chosenEngine.id, { expires: expiry, path: "/" });
$.cookie("_osm_directions_engine", chosenEngine.id, { secure: true, expires: expiry, path: "/" });
getRoute(true, true);
});

7
config/initializers/secure_headers.rb
View file

@ -26,11 +26,6 @@ csp_policy[:img_src] << Settings.storage_url if Settings.key?(:storage_url)
csp_policy[:report_uri] << Settings.csp_report_url if Settings.key?(:csp_report_url)
cookie_policy = {
:secure => SecureHeaders::OPT_OUT,
:httponly => SecureHeaders::OPT_OUT
}
SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT
@ -44,6 +39,4 @@ SecureHeaders::Configuration.default do |config|
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = SecureHeaders::OPT_OUT
end
config.cookies = cookie_policy
end