rwf2
/
Rocket
mirror of https://github.com/rwf2/Rocket.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Set safer defaults for private cookies.

This commit is contained in:
Sergio Benitez 2017-10-05 21:58:04 -07:00
parent 8de1e32130
commit a90d625abe
2 changed files with 23 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/Cargo.toml
View File

@ -31,12 +31,16 @@ smallvec = "0.4"
pear = "0.0.11" pear = "0.0.11"
pear_codegen = "0.0.11" pear_codegen = "0.0.11"
rustls = { version = "0.11.0", optional = true } rustls = { version = "0.11.0", optional = true }
cookie = { version = "0.10.0", features = ["percent-encode", "secure"] }
hyper = { version = "0.10.13", default-features = false } hyper = { version = "0.10.13", default-features = false }
hyper-sync-rustls = { version = "0.3.0-rc.1", features = ["server"], optional = true } hyper-sync-rustls = { version = "0.3.0-rc.1", features = ["server"], optional = true }
ordermap = "0.2" ordermap = "0.2"
isatty = "0.1" isatty = "0.1"
[dependencies.cookie]
git = "https://github.com/alexcrichton/cookie-rs"
rev = "9706ac"
features = ["percent-encode", "secure"]
[dev-dependencies] [dev-dependencies]
lazy_static = "0.2" lazy_static = "0.2"
rocket_codegen = { version = "0.4.0-dev", path = "../codegen" } rocket_codegen = { version = "0.4.0-dev", path = "../codegen" }

27
lib/src/http/cookies.rs
View File

@ -209,10 +209,16 @@ impl<'a> Cookies<'a> {
/// [`get_private`](#method.get_private) and removed using /// [`get_private`](#method.get_private) and removed using
/// [`remove_private`](#method.remove_private). /// [`remove_private`](#method.remove_private).
/// ///
/// If a path is not set on `cookie`, the `"/"` path will automatically be /// Unless a value is supplied for the given key, the following defaults are
/// set. If a `SameSite` attribute is not set, the attribute will be set to /// set on `cookie` before being added to `self`:
/// `Strict`. These defaults ensure maximum usability and security. For ///
/// additional security, you may wish to set the `http_only` flag. /// * `path`: `"/"`
/// * `SameSite`: `Strict`
/// * `HttpOnly`: `true`
/// * `Expires`: 1 week from now
///
/// These defaults ensure maximum usability and security. For additional
/// security, you may wish to set the `secure` flag.
/// ///
/// # Example /// # Example
/// ///
@ -221,11 +227,6 @@ impl<'a> Cookies<'a> {
/// ///
/// fn handler(mut cookies: Cookies) { /// fn handler(mut cookies: Cookies) {
/// cookies.add_private(Cookie::new("name", "value")); /// cookies.add_private(Cookie::new("name", "value"));
///
/// // Set the `HttpOnly` flag.
/// let mut cookie = Cookie::new("name", "value");
/// cookie.set_http_only(true);
/// cookies.add(cookie);
/// } /// }
/// ``` /// ```
pub fn add_private(&mut self, mut cookie: Cookie<'static>) { pub fn add_private(&mut self, mut cookie: Cookie<'static>) {
@ -234,6 +235,14 @@ impl<'a> Cookies<'a> {
cookie.set_path("/"); cookie.set_path("/");
} }
if cookie.http_only().is_none() {
cookie.set_http_only(true);
}
if cookie.expires().is_none() {
cookie.set_expires(::time::now() + ::time::Duration::weeks(1));
}
if cookie.same_site().is_none() { if cookie.same_site().is_none() {
cookie.set_same_site(SameSite::Strict); cookie.set_same_site(SameSite::Strict);
} }