Remove redundant custom SameSiteSecurity::Middleware

This was introduced in this PR [1] in order to set `SameSite=lax` on all cookies. However, in the current version of Rails (v7.0.8) this is now configurable via `config.action_dispatch.cookies_same_site_protection` [2] and it defaults to `:lax`. I've left the `CookiesSecurityTest` integration test in place even though it's now testing default behaviour, because (a) it's also testing that the `httponly: true` option is set on the cookie store; and (b) it provides a trail back to the original PR which explains a bit about why it was introduced and links to a Trello card. I've also double-checked in a browser that the session cookie still has "SameSite=lax" set. [1]: #507 [2]: https://guides.rubyonrails.org/v7.0.8/configuring.html#config-action-dispatch-cookies-same-site-protection
alphagov · Jan 8, 2024 · ffdbdca · ffdbdca
1 parent 347a06b
commit ffdbdca
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 44 deletions.
diff --git a/config/application.rb b/config/application.rb
@@ -13,7 +13,6 @@
 require "action_view/railtie"
 # require "action_cable/engine"
 require "rails/test_unit/railtie"
-require_relative "../lib/same_site_security/middleware"
 
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
@@ -64,8 +63,6 @@ class Application < Rails::Application
 
     config.active_job.queue_adapter = :sidekiq
 
-    config.middleware.insert_before 0, SameSiteSecurity::Middleware
-
     config.action_dispatch.return_only_media_type_on_content_type = true
 
     # Set asset path to be application specific so that we can put all GOV.UK

diff --git a/lib/same_site_security/middleware.rb b/lib/same_site_security/middleware.rb
diff --git a/test/lib/same_site_security/middleware_test.rb b/test/lib/same_site_security/middleware_test.rb