Merge pull request rails#41470 from jtracey/onion-cookies

rafaelfranca · web-flow · commit 9d6f7681afd4 · 2021-11-26T15:41:59.000-05:00
Consider onion services secure for cookies
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Consider onion services secure for cookies.
+
+    *Justin Tracey*
+
 *   Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
 
     *Rafael Mendonça França*
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -439,7 +439,7 @@ def make_set_cookie_header(header)
         end
 
         def write_cookie?(cookie)
-          request.ssl? || !cookie[:secure] || always_write_cookie
+          request.ssl? || request.host.end_with?(".onion") || !cookie[:secure] || always_write_cookie
         end
 
         def handle_options(options)
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
@@ -457,6 +457,13 @@ def test_setting_cookie_with_secure
     assert_equal({ "user_name" => "david" }, @response.cookies)
   end
 
+  def test_setting_cookie_with_secure_on_onion_address
+    @request.host = "fake.onion"
+    get :authenticate_with_secure
+    assert_cookie_header "user_name=david; path=/; secure; SameSite=Lax"
+    assert_equal({ "user_name" => "david" }, @response.cookies)
+  end
+
   def test_setting_cookie_with_secure_when_always_write_cookie_is_true
     old_cookie, @request.cookie_jar.always_write_cookie = @request.cookie_jar.always_write_cookie, true
     get :authenticate_with_secure
