Remove redundant custom SameSiteSecurity::Middleware #2628
Merged
Commits on Jan 8, 2024
-
Remove redundant custom SameSiteSecurity::Middleware
This was introduced in this PR [1] in order to set `SameSite=lax` on all cookies. However, in the current version of Rails (v7.0.8) this is now configurable via `config.action_dispatch.cookies_same_site_protection` [2] and it defaults to `:lax`. I've left the `CookiesSecurityTest` integration test in place even though it's now testing default behaviour, because (a) it's also testing that the `httponly: true` option is set on the cookie store; and (b) it provides a trail back to the original PR which explains a bit about why it was introduced and links to a Trello card. I've also double-checked in a browser that the session cookie still has "SameSite=lax" set. [1]: #507 [2]: https://guides.rubyonrails.org/v7.0.8/configuring.html#config-action-dispatch-cookies-same-site-protection
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.