Onion service related changes to HTTPS handling (#15560)

* Enable secure cookie flag for https only

* Disable force_ssl for .onion hosts only

Co-authored-by: Aiden McClelland <me@drbonez.dev>

diff --git a/Gemfile b/Gemfile
index 78cb44168a76eca9a619fad0895be967fdbf2c6e..8d8542f83daed5987b194e89dfdb4b6ec28e24e2 100644 (file)
--- a/Gemfile
+++ b/Gemfile
@@ -161,3 +161,5 @@ gem 'connection_pool', require: false
 
 gem 'xorcist', '~> 1.1'
 gem 'pluck_each', '~> 0.1.3'
+
+gem 'secure_headers', '~> 3.5'

diff --git a/Gemfile.lock b/Gemfile.lock
index bd32f72a7332cf8317a47f37f7df9196f645aa45..4237d6bba755fe9d8d2a2a9a8ed2b4e02db78459 100644 (file)
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -571,6 +571,8 @@ GEM
     scenic (1.5.4)
       activerecord (>= 4.0.0)
       railties (>= 4.0.0)
+    secure_headers (3.9.0)
+      useragent
     securecompare (1.0.0)
     semantic_range (2.3.0)
     sidekiq (6.1.3)
@@ -652,6 +654,7 @@ GEM
     unf_ext (0.0.7.7)
     unicode-display_width (1.7.0)
     uniform_notifier (1.13.2)
+    useragent (0.16.10)
     warden (1.2.9)
       rack (>= 2.0.9)
     webauthn (3.0.0.alpha1)
@@ -795,6 +798,7 @@ DEPENDENCIES
   ruby-progressbar (~> 1.11)
   sanitize (~> 5.2)
   scenic (~> 1.5)
+  secure_headers (~> 3.5)
   sidekiq (~> 6.1)
   sidekiq-bulk (~> 0.2.0)
   sidekiq-scheduler (~> 3.0)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 44616d6e5ee45e35a8609946126d5fd9cfe2f38c..c9311c1b6c5ec2cb0c3f9b91e0957cd001b3fb73 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base
   private
 
   def https_enabled?
-    Rails.env.production? && !request.path.start_with?('/health')
+    Rails.env.production? && !request.path.start_with?('/health') && !request.headers["Host"].ends_with?(".onion")
   end
 
   def authorized_fetch_mode?

diff --git a/app/lib/webfinger.rb b/app/lib/webfinger.rb
index 7023659395b51de5581ec41aed32497cb2033636..40795a7aa91e7f81ac55bcb54359309bdbac7f5e 100644 (file)
--- a/app/lib/webfinger.rb
+++ b/app/lib/webfinger.rb
@@ -88,10 +88,18 @@ class Webfinger
   end
 
   def standard_url
-    "https://#{@domain}/.well-known/webfinger?resource=#{@uri}"
+    if @domain.ends_with? ".onion"
+      "http://#{@domain}/.well-known/webfinger?resource=#{@uri}"
+    else
+      "https://#{@domain}/.well-known/webfinger?resource=#{@uri}"
+    end
   end
 
   def host_meta_url
-    "https://#{@domain}/.well-known/host-meta"
+    if @domain.ends_with? ".onion"
+      "http://#{@domain}/.well-known/host-meta"
+    else
+      "https://#{@domain}/.well-known/host-meta"
+    end
   end
 end

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index ef612e177de2fc7557653944f613717064eecc72..d3757b0d343c8b6ade7d87766eca5c713a47a4fc 100644 (file)
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -9,7 +9,6 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     value: session_id,
     expires: 1.year.from_now,
     httponly: true,
-    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
     same_site: :lax,
   }
 end
@@ -20,7 +19,6 @@ Warden::Manager.after_fetch do |user, warden|
       value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
       expires: 1.year.from_now,
       httponly: true,
-      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
       same_site: :lax,
     }
   else
@@ -229,10 +227,6 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
-  # Options to be passed to the created cookie. For instance, you can set
-  # secure: true in order to force SSL only cookies.
-  config.rememberable_options = { secure: true }
-
   # ==> Configuration for :validatable
   # Range for password length.
   config.password_length = 8..72

diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb
index dc88fa63cd09430875d3ab5bd0508e8183f09ecb..afd29eda8de277c5062f3c61746d8c717aa458a7 100644 (file)
--- a/config/initializers/makara.rb
+++ b/config/initializers/makara.rb
@@ -1,2 +1 @@
 Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
-Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'

diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb
new file mode 100644 (file)
index 0000000..6c8ac7f
--- /dev/null
+++ b/config/initializers/secureheaders.rb
@@ -0,0 +1,10 @@
+SecureHeaders::Configuration.default do |config|
+  config.cookies = {
+    secure: true,
+    httponly: true,
+    samesite: {
+      lax: true
+    }
+  }
+  config.csp = SecureHeaders::OPT_OUT
+end

diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index e5d1be4c6c7d53619c7bcd40c1806ef77ca669ce..7e3471ac4cb4e36774b3510ea45e15bbcfda453c 100644 (file)
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,6 +2,5 @@
 
 Rails.application.config.session_store :cookie_store, {
   key: '_mastodon_session',
-  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
   same_site: :lax,
 }