Relax cookie security policy

author Tom Hughes <tom@compton.nu>

Wed, 1 Nov 2017 17:44:22 +0000 (17:44 +0000)

committer Tom Hughes <tom@compton.nu>

Wed, 1 Nov 2017 17:48:35 +0000 (17:48 +0000)
author Tom Hughes <tom@compton.nu>
Wed, 1 Nov 2017 17:44:22 +0000 (17:44 +0000)
committer Tom Hughes <tom@compton.nu>
Wed, 1 Nov 2017 17:48:35 +0000 (17:48 +0000)
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb

index 361fb32838afcd6f00eeab8f4c15e38deab7ea27..f4633d72f5e860717cb030bbd32a17f60381b10c 100644 (file)
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -1,5 +1,5 @@
  if defined?(CSP_REPORT_URL)
  if defined?(CSP_REPORT_URL)
-  policy = {
+  csp_policy = {
      :default_src => %w['self'],
      :child_src => %w['self'],
      :connect_src => %w['self'],
      :default_src => %w['self'],
      :child_src => %w['self'],
      :connect_src => %w['self'],
@@ -15,13 +15,19 @@ if defined?(CSP_REPORT_URL)
      :report_uri => [CSP_REPORT_URL]
    }
  
      :report_uri => [CSP_REPORT_URL]
    }
  
-  policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+  csp_policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
  else
  else
-  policy = SecureHeaders::OPT_OUT
+  csp_policy = SecureHeaders::OPT_OUT
  end
  
  end
  
+cookie_policy = {
+  :secure => SecureHeaders::OPT_OUT,
+  :httponly => SecureHeaders::OPT_OUT
+}
+
  SecureHeaders::Configuration.default do |config|
    config.hsts = "max-age=0"
    config.csp = SecureHeaders::OPT_OUT
  SecureHeaders::Configuration.default do |config|
    config.hsts = "max-age=0"
    config.csp = SecureHeaders::OPT_OUT
-  config.csp_report_only = policy
+  config.csp_report_only = csp_policy
+  config.cookies = cookie_policy
  end
  end
author	Tom Hughes <tom@compton.nu>
	Wed, 1 Nov 2017 17:44:22 +0000 (17:44 +0000)
committer	Tom Hughes <tom@compton.nu>
	Wed, 1 Nov 2017 17:48:35 +0000 (17:48 +0000)