github / secure_headers

Manages application of security headers with many safe defaults
MIT License
3.17k stars 252 forks source link

SecureHeaders middleware erases all cookies in Rack 3 due to \n joining #514

Open collinsauve opened 7 months ago

collinsauve commented 7 months ago

Bugs

SecureHeaders is not compatible with this change from Rack 3 as SH uses \n encoded cookies in flag_cookies!:

Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).

Rack will no longer transform this back into an array for you, and that joined string with \n gets all the way to Puma::Request#str_headers at which point it ignores it due to it being an illegal value.

Expected outcome

Describe what you expected to happen

  1. I set multiple cookies
  2. Those cookies are included in the response

Actual outcome

  1. The response written to the socket does not include any cookies set before SH middleware gets them.
collinsauve commented 7 months ago

I've put together a minimum-viable reproduction of the issue: https://github.com/collinsauve/secure-headers-issue-514