From c18eaa98130ceb08d0d77037216a35823c25d530 Mon Sep 17 00:00:00 2001 From: Luuk Veenis Date: Thu, 15 Mar 2018 13:48:27 -0700 Subject: [PATCH] Set HttpOnly flag when sending guest_token cookie The HttpOnly flag prevents XSS attacks by making the cookie inaccessible to JS via the Document.cookie API. It's advisable to also set the Secure flag which only allows cookies to be sent over HTTPS, but that doesn't play nice with development environment so it shouldn't be set by default here. To enable secure cookies you can add the following to your Rails config: `config.force_ssl = true` This will enable secure cookies, HSTS, and TLS redirect, but each can be disabled independently: http://api.rubyonrails.org/v5.1.5/classes/ActionDispatch/SSL.html --- core/lib/spree/core/controller_helpers/auth.rb | 5 ++++- core/spec/lib/spree/core/controller_helpers/auth_spec.rb | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/core/lib/spree/core/controller_helpers/auth.rb b/core/lib/spree/core/controller_helpers/auth.rb index 3fecec3f5b2..d21d7cf6389 100644 --- a/core/lib/spree/core/controller_helpers/auth.rb +++ b/core/lib/spree/core/controller_helpers/auth.rb @@ -42,7 +42,10 @@ def redirect_back_or_default(default) def set_guest_token unless cookies.signed[:guest_token].present? - cookies.permanent.signed[:guest_token] = SecureRandom.urlsafe_base64(nil, false) + cookies.permanent.signed[:guest_token] = { + value: SecureRandom.urlsafe_base64(nil, false), + httponly: true + } end end diff --git a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb index c4bf8b2b83a..f7d1ef82932 100644 --- a/core/spec/lib/spree/core/controller_helpers/auth_spec.rb +++ b/core/spec/lib/spree/core/controller_helpers/auth_spec.rb @@ -40,6 +40,7 @@ def index end it 'sends cookie header' do get :index + expect(response.headers["Set-Cookie"]).to match(/guest_token.*HttpOnly/) expect(response.cookies['guest_token']).not_to be_nil end end