Set secure cookies on interleaved http/https calls correctly

The current HTTP/HTTPS detection code mutates the cookie config in place
in order to switch between secure and non-secure cookies. However, since
the original global secure_headers config was passed around everywhere,
the very first HTTP request received would modify the global cookie
config, resulting in :secure => false for all subsequent requests
regardless of SSL. The solution is to dup the cookie config before using
it, which is a pattern followed for every other configuration type
anyways; a better long-term fix would be using non-mutating methods
instead.

Author: anujdas

.ruby-version

@@ -1 +1 @@
-2.2.3
+2.2.5

lib/secure_headers/configuration.rb

@@ -140,7 +140,7 @@ def initialize(&block)
     # Returns a deep-dup'd copy of this configuration.
     def dup
       copy = self.class.new
-      copy.cookies = @cookies
+      copy.cookies = self.class.send(:deep_copy_if_hash, @cookies)
       copy.csp = @csp.dup if @csp
       copy.csp_report_only = @csp_report_only.dup if @csp_report_only
       copy.cached_headers = self.class.send(:deep_copy_if_hash, @cached_headers)

spec/lib/secure_headers/middleware_spec.rb

@@ -105,6 +105,18 @@ module SecureHeaders
         _, env = cookie_middleware.call request.env
         expect(env['Set-Cookie']).to eq("foo=bar")
       end
+
+      it "sets the secure cookie flag correctly on interleaved http/https requests" do
+        Configuration.default { |config| config.cookies = { secure: true } }
+
+        request = Rack::Request.new("HTTPS" => "off")
+        _, env = cookie_middleware.call request.env
+        expect(env['Set-Cookie']).to eq("foo=bar")
+
+        request = Rack::Request.new("HTTPS" => "on")
+        _, env = cookie_middleware.call request.env
+        expect(env['Set-Cookie']).to eq("foo=bar; secure")
+      end
     end
   end
 end