From 1dbc59053187928338162e2d87fdc8112145dffb Mon Sep 17 00:00:00 2001 From: Neil Matatall Date: Tue, 25 Jul 2017 11:45:59 -1000 Subject: [PATCH] don't try to modify an opt-out config for cookies --- lib/secure_headers.rb | 2 +- lib/secure_headers/middleware.rb | 2 +- spec/lib/secure_headers/middleware_spec.rb | 7 +++++++ 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/lib/secure_headers.rb b/lib/secure_headers.rb index 5f0349e5..70a4cd27 100644 --- a/lib/secure_headers.rb +++ b/lib/secure_headers.rb @@ -24,7 +24,7 @@ module SecureHeaders class NoOpHeaderConfig include Singleton - def boom(arg = nil) + def boom(*args) raise "Illegal State: attempted to modify NoOpHeaderConfig. Create a new config instead." end diff --git a/lib/secure_headers/middleware.rb b/lib/secure_headers/middleware.rb index 7515e653..910c386c 100644 --- a/lib/secure_headers/middleware.rb +++ b/lib/secure_headers/middleware.rb @@ -38,7 +38,7 @@ def flag_cookies!(headers, config) # disable Secure cookies for non-https requests def override_secure(env, config = {}) - if scheme(env) != "https" + if scheme(env) != "https" && config != OPT_OUT config[:secure] = OPT_OUT end diff --git a/spec/lib/secure_headers/middleware_spec.rb b/spec/lib/secure_headers/middleware_spec.rb index 697d1e84..8d827254 100644 --- a/spec/lib/secure_headers/middleware_spec.rb +++ b/spec/lib/secure_headers/middleware_spec.rb @@ -65,6 +65,13 @@ module SecureHeaders end end + it "allows opting out of cookie protection with OPT_OUT alone" do + Configuration.default { |config| config.cookies = OPT_OUT} + request = Rack::Request.new({}) + _, env = cookie_middleware.call request.env + expect(env["Set-Cookie"]).to eq("foo=bar") + end + context "cookies should not be flagged" do it "does not flags cookies as secure" do Configuration.default { |config| config.cookies = {secure: OPT_OUT, httponly: OPT_OUT, samesite: OPT_OUT} }