Fix cookies not having a SameSite attribute (#15098)

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 59e69ad375feeb25d42038eb6b447f0702eb1d33..ef612e177de2fc7557653944f613717064eecc72 100644 (file)
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -10,6 +10,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     expires: 1.year.from_now,
     httponly: true,
     secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+    same_site: :lax,
   }
 end
 
@@ -20,6 +21,7 @@ Warden::Manager.after_fetch do |user, warden|
       expires: 1.year.from_now,
       httponly: true,
       secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+      same_site: :lax,
     }
   else
     warden.logout

diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb
new file mode 100644 (file)
index 0000000..dc88fa6
--- /dev/null
+++ b/config/initializers/makara.rb
@@ -0,0 +1,2 @@
+Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
+Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 3dc0edd6fd262f70a6c496c922beb97bd096003c..e5d1be4c6c7d53619c7bcd40c1806ef77ca669ce 100644 (file)
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,7 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true')
+Rails.application.config.session_store :cookie_store, {
+  key: '_mastodon_session',
+  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+  same_site: :lax,
+}