Merge pull request #34 from finnlabs/feature/allow_form_post_method

lessen sameSite restriction on form_post methods
pull/6827/head
Markus Kahl 6 years ago committed by GitHub
commit 5d3f91f472
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 13
      lib/open_project/openid_connect/engine.rb

@ -50,6 +50,19 @@ module OpenProject::OpenIDConnect
end end
end end
#config.to_prepare do
initializer 'openid_connect.form_post_method' do
# If response_mode 'form_post' is chosen,
# the IP sends a POST to the callback. Only if
# the sameSite flag is not set on the session cookie, is the cookie send along with the request.
if OpenProject::Configuration.openid_connect.any? { |_, v| v['response_mode']&.to_s == 'form_post' }
SecureHeaders::Configuration.default.cookies[:samesite][:lax] = false
# Need to reload the secure_headers config to
# avoid having set defaults (e.g. https) when changing the cookie values
load Rails.root + 'config/initializers/secure_headers.rb'
end
end
config.to_prepare do config.to_prepare do
# set a secure cookie in production # set a secure cookie in production
secure_cookie = !!Rails.configuration.force_ssl secure_cookie = !!Rails.configuration.force_ssl

Loading…
Cancel
Save