Merge pull request #296 from anujdas/fix_secure_cookies

oreoshake · web-flow · commit 530b6b52024f · 2016-10-12T07:20:04.000-10:00
Set secure cookies on interleaved http/https calls correctly
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-2.2.3
+2.2.5
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -140,7 +140,7 @@ def initialize(&block)
     # Returns a deep-dup'd copy of this configuration.
     def dup
       copy = self.class.new
-      copy.cookies = @cookies
+      copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
       copy.csp = @csp.dup if @csp
       copy.csp_report_only = @csp_report_only.dup if @csp_report_only
       copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)
diff --git a/spec/lib/secure_headers/middleware_spec.rb b/spec/lib/secure_headers/middleware_spec.rb
@@ -105,6 +105,18 @@ module SecureHeaders
         _, env = cookie_middleware.call request.env
         expect(env['Set-Cookie']).to eq("foo=bar")
       end
+
+      it "sets the secure cookie flag correctly on interleaved http/https requests" do
+        Configuration.default { |config| config.cookies = { secure: true } }
+
+        request = Rack::Request.new("HTTPS" => "off")
+        _, env = cookie_middleware.call request.env
+        expect(env['Set-Cookie']).to eq("foo=bar")
+
+        request = Rack::Request.new("HTTPS" => "on")
+        _, env = cookie_middleware.call request.env
+        expect(env['Set-Cookie']).to eq("foo=bar; secure")
+      end
     end
   end
 end
