Merge pull request #2633 from luukveenis/guest-token-http-only

jhawthorn · web-flow · commit 37627f324d9f · 2018-03-16T14:20:39.000-07:00
Set HttpOnly flag when sending guest_token cookie
diff --git a/core/lib/spree/core/controller_helpers/auth.rb b/core/lib/spree/core/controller_helpers/auth.rb
@@ -42,7 +42,10 @@ def redirect_back_or_default(default)
 
         def set_guest_token
           unless cookies.signed[:guest_token].present?
-            cookies.permanent.signed[:guest_token] = SecureRandom.urlsafe_base64(nil, false)
+            cookies.permanent.signed[:guest_token] = {
+              value: SecureRandom.urlsafe_base64(nil, false),
+              httponly: true
+            }
           end
         end
 
diff --git a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb
@@ -40,6 +40,7 @@ def index
     end
     it 'sends cookie header' do
       get :index
+      expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/)
       expect(response.cookies['guest_token']).not_to be_nil
     end
   end
