don't try to modify an opt-out config for cookies

github · Jul 25, 2017 · 1dbc590 · 1dbc590
1 parent 501270c
commit 1dbc590
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/lib/secure_headers.rb b/lib/secure_headers.rb
@@ -24,7 +24,7 @@ module SecureHeaders
   class NoOpHeaderConfig
     include Singleton
 
-    def boom(arg = nil)
+    def boom(*args)
       raise "Illegal State: attempted to modify NoOpHeaderConfig. Create a new config instead."
     end
 

diff --git a/lib/secure_headers/middleware.rb b/lib/secure_headers/middleware.rb
@@ -38,7 +38,7 @@ def flag_cookies!(headers, config)
 
     # disable Secure cookies for non-https requests
     def override_secure(env, config = {})
-      if scheme(env) != "https"
+      if scheme(env) != "https" && config != OPT_OUT
         config[:secure] = OPT_OUT
       end
 

diff --git a/spec/lib/secure_headers/middleware_spec.rb b/spec/lib/secure_headers/middleware_spec.rb
@@ -65,6 +65,13 @@ module SecureHeaders
         end
       end
 
+      it "allows opting out of cookie protection with OPT_OUT alone" do
+        Configuration.default { |config| config.cookies = OPT_OUT}
+        request = Rack::Request.new({})
+        _, env = cookie_middleware.call request.env
+        expect(env["Set-Cookie"]).to eq("foo=bar")
+      end
+
       context "cookies should not be flagged" do
         it "does not flags cookies as secure" do
           Configuration.default { |config| config.cookies = {secure: OPT_OUT, httponly: OPT_OUT, samesite: OPT_OUT}  }