diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-28 12:08:30 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-28 12:08:30 +0300 |
| commit | 132dd28342c2bcbd42475f9dffc60dff12ffb8a6 (patch) | |
| tree | 4c60a8801a24b49921eb7480a61674e422231d1f /lib/gitlab/middleware | |
| parent | dcc65c870d1f8c8fb697a46c2d61f1cef7b9fd3a (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/middleware')
| -rw-r--r-- | lib/gitlab/middleware/same_site_cookies.rb | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/lib/gitlab/middleware/same_site_cookies.rb b/lib/gitlab/middleware/same_site_cookies.rb new file mode 100644 index 00000000000..45968035e79 --- /dev/null +++ b/lib/gitlab/middleware/same_site_cookies.rb @@ -0,0 +1,63 @@ +# frozen_string_literal: true + +# This middleware sets the SameSite directive to None on all cookies. +# It also adds the Secure directive if HTTPS is enabled. +# +# Chrome v80, rolled out in March 2020, treats any cookies without the +# SameSite directive set as though they are SameSite=Lax +# (https://www.chromestatus.com/feature/5088147346030592). This is a +# breaking change from the previous default behavior, which was to treat +# those cookies as SameSite=None. +# +# This middleware is needed until we upgrade to Rack v2.1.0+ +# (https://github.com/rack/rack/commit/c859bbf7b53cb59df1837612a8c330dfb4147392) +# and a version of Rails that has native support +# (https://github.com/rails/rails/commit/7ccaa125ba396d418aad1b217b63653d06044680). +# +module Gitlab + module Middleware + class SameSiteCookies + COOKIE_SEPARATOR = "\n".freeze + + def initialize(app) + @app = app + end + + def call(env) + status, headers, body = @app.call(env) + result = [status, headers, body] + + set_cookie = headers['Set-Cookie']&.strip + + return result if set_cookie.blank? || !ssl? + + cookies = set_cookie.split(COOKIE_SEPARATOR) + + cookies.each do |cookie| + next if cookie.blank? + + # Chrome will drop SameSite=None cookies without the Secure + # flag. If we remove this middleware, we may need to ensure + # that all cookies set this flag. + if ssl? && !(cookie =~ /;\s*secure/i) + cookie << '; Secure' + end + + unless cookie =~ /;\s*samesite=/i + cookie << '; SameSite=None' + end + end + + headers['Set-Cookie'] = cookies.join(COOKIE_SEPARATOR) + + result + end + + private + + def ssl? + Gitlab.config.gitlab.https + end + end + end +end |