rails_same_site_cookie 0.1.5 → 0.1.9

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +5 -5
  2. data/README.md +4 -1
  3. data/lib/rails_same_site_cookie/middleware.rb +6 -3
  4. data/lib/rails_same_site_cookie/user_agent_checker.rb +4 -0
  5. data/lib/rails_same_site_cookie/version.rb +1 -1
  6. data/rails_same_site_cookie.gemspec +2 -2
  7. metadata +8 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: d0c2e537b9df7458324fe26f417e12791742a193
4
- data.tar.gz: 7f0e758b214264adb777c7fbccd7b08970d641e3
2
+ SHA256:
3
+ metadata.gz: de603a08185ff1e1df7e28ca0229d6a1f64474336788d233af3a0d647d028868
4
+ data.tar.gz: f01fc02d4261a916c3b2776fa9bafee35a37d5d00c64592d8ecba0aba4a7def2
5
5
  SHA512:
6
- metadata.gz: 34e3be281673ffbe03de44c11cb606e25d2d22946760357dc7f3572cc9ced0ad1f9e4c0141c607a008d07fa274fd29ff24a3bfcd191ca58082e2c9559d5472f2
7
- data.tar.gz: 6c47a3d87373e137f082fbe99bc70443bfd00674144011a6528e8fe82b497f7921366e573dd695602d8ae9701c126b4a54ab874cc2a7b903ccb2d3a9ad61dfcd
6
+ metadata.gz: 516d7d5d61abe352bcd927663aec93d85ea0ceffcf254b1816e64168fd627431398dd9a505f7bb4457d53ce093201260039079ef4c69c13739b18a575dbfe357
7
+ data.tar.gz: 5aa26a4289c6fb3ece3b9438c8e4977dca23fa2cfc9eb4d91ba63a01ac44b969152f77f2de93f7c49864fda29fd9178d55b99172a76bc13479391d39bec51586
data/README.md CHANGED
@@ -8,8 +8,11 @@ This new behavior shouldn't be a problem for most apps but if your Rails app pro
8
8
 
9
9
  This gem fixes the above problems by explicity setting SameSite=None for all cookies where the SameSite directive is missing and the requesting user agent is not in Chrome's [provided list of known incompatible clients](https://www.chromium.org/updates/same-site/incompatible-clients).
10
10
 
11
+ ### Note about incompatibility with Safari and the future of third-party cookies
12
+ Newer versions of Safari [block third party cookies by defaul](https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/) regardless of whether the SameSite flag is set. By design there is no workaround for this without the user manually going in and overriding the default settings to allow cross-site tracking. Chrome also plans to [completely phase out third party cookies in 2022](https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html) at which point this gem will be useless.
13
+
11
14
  ### Note about HTTP requests and local testing
12
- Note that the gem only sets the "Secure" flag (which Chrome will also require for SameSite=None cookies) on cookies sent over HTTPS. So if you're testing on your local machine and you haven't setup your localhost to use SSL you will see warnings in Chrome about the cookies lacking the Secure flag. If the gem did set this flag in these cases, you would not see the warning and instead the cookies would simply be ignored. Once Chrome 80 is released you will either have to setup SSL on your localhost or start using a different browser for development, because Chrome will begin ignoring these cookies for lacking the Secure flag.
15
+ Note that for Chrome/Chromium based browsers the gem only sets the SameSite flag on cookies sent over HTTPS. So if you're testing on your local machine and you haven't setup your localhost to use SSL you will see warnings in versions of Chrome less than 80 about the missing SameSite flag, and in Chrome 80+ these cookies will be ignored entirely. To work around this in Chrome 80+ without setting up SSL you can disable the following Chrome flags: chrome://flags/ -> `SameSite by default cookies` and `Cookies without SameSite must be secure`.
13
16
 
14
17
  ## Installation
15
18
 
data/lib/rails_same_site_cookie/middleware.rb CHANGED
@@ -13,14 +13,17 @@ module RailsSameSiteCookie
13
13
  status, headers, body = @app.call(env)
14
14
 
15
15
  regex = RailsSameSiteCookie.configuration.user_agent_regex
16
- if headers['Set-Cookie'].present? and (regex.nil? or regex.match(env['HTTP_USER_AGENT']))
16
+ set_cookie = headers['Set-Cookie']
17
+ if (regex.nil? or regex.match(env['HTTP_USER_AGENT'])) and not (set_cookie.nil? or set_cookie.strip == '')
17
18
  parser = UserAgentChecker.new(env['HTTP_USER_AGENT'])
18
19
  if parser.send_same_site_none?
19
- cookies = headers['Set-Cookie'].split(COOKIE_SEPARATOR)
20
+ cookies = set_cookie.split(COOKIE_SEPARATOR)
20
21
  ssl = Rack::Request.new(env).ssl?
21
22
 
22
23
  cookies.each do |cookie|
23
- next if cookie.blank?
24
+ next if cookie == '' or cookie.nil?
25
+ next if !ssl && parser.chrome? # https://www.chromestatus.com/feature/5633521622188032
26
+
24
27
  if ssl and not cookie =~ /;\s*secure/i
25
28
  cookie << '; Secure'
26
29
  end
data/lib/rails_same_site_cookie/user_agent_checker.rb CHANGED
@@ -21,6 +21,10 @@ module RailsSameSiteCookie
21
21
  return !missing_same_site_none_support?
22
22
  end
23
23
 
24
+ def chrome?
25
+ is_chromium_based?
26
+ end
27
+
24
28
  private
25
29
  def missing_same_site_none_support?
26
30
  has_webkit_ss_bug? or drops_unrecognized_ss_cookies?
data/lib/rails_same_site_cookie/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module RailsSameSiteCookie
2
- VERSION = "0.1.5"
2
+ VERSION = "0.1.9"
3
3
  end
data/rails_same_site_cookie.gemspec CHANGED
@@ -28,6 +28,6 @@ Gem::Specification.new do |spec|
28
28
  spec.add_development_dependency "rake", "~> 10.0"
29
29
  spec.add_development_dependency "rspec", "~> 3.0"
30
30
 
31
- spec.add_dependency "railties", ">= 4.1"
32
- spec.add_dependency "user_agent_parser", "~> 2.5"
31
+ spec.add_dependency "rack", ">= 1.5"
32
+ spec.add_dependency "user_agent_parser", "~> 2.6"
33
33
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_same_site_cookie
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.5
4
+ version: 0.1.9
5
5
  platform: ruby
6
6
  authors:
7
7
  - Philip Schinis
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-01-31 00:00:00.000000000 Z
11
+ date: 2021-09-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -53,33 +53,33 @@ dependencies:
53
53
  - !ruby/object:Gem::Version
54
54
  version: '3.0'
55
55
  - !ruby/object:Gem::Dependency
56
- name: railties
56
+ name: rack
57
57
  requirement: !ruby/object:Gem::Requirement
58
58
  requirements:
59
59
  - - ">="
60
60
  - !ruby/object:Gem::Version
61
- version: '4.1'
61
+ version: '1.5'
62
62
  type: :runtime
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - ">="
67
67
  - !ruby/object:Gem::Version
68
- version: '4.1'
68
+ version: '1.5'
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: user_agent_parser
71
71
  requirement: !ruby/object:Gem::Requirement
72
72
  requirements:
73
73
  - - "~>"
74
74
  - !ruby/object:Gem::Version
75
- version: '2.5'
75
+ version: '2.6'
76
76
  type: :runtime
77
77
  prerelease: false
78
78
  version_requirements: !ruby/object:Gem::Requirement
79
79
  requirements:
80
80
  - - "~>"
81
81
  - !ruby/object:Gem::Version
82
- version: '2.5'
82
+ version: '2.6'
83
83
  description:
84
84
  email:
85
85
  - p.schinis@gmail.com
@@ -125,8 +125,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
125
125
  - !ruby/object:Gem::Version
126
126
  version: '0'
127
127
  requirements: []
128
- rubyforge_project:
129
- rubygems_version: 2.5.1
128
+ rubygems_version: 3.1.2
130
129
  signing_key:
131
130
  specification_version: 4
132
131
  summary: This gem allows you to set the SameSite=None cookie directive without breaking