secure_headers icon indicating copy to clipboard operation
secure_headers copied to clipboard
verified publisher icon github

SecureHeaders middleware erases all cookies in Rack 3 due to \n joining

Open collinsauve opened this issue 1 year ago • 2 comments

Bugs

SecureHeaders is not compatible with this change from Rack 3 as SH uses \n encoded cookies in flag_cookies!:

Response header values can be an Array to handle multiple values (and no longer supports \n encoded headers).

Rack will no longer transform this back into an array for you, and that joined string with \n gets all the way to Puma::Request#str_headers at which point it ignores it due to it being an illegal value.

Expected outcome

Describe what you expected to happen

  1. I set multiple cookies
  2. Those cookies are included in the response

Actual outcome

  1. The response written to the socket does not include any cookies set before SH middleware gets them.

collinsauve avatar Apr 22 '24 21:04 collinsauve

I've put together a minimum-viable reproduction of the issue: https://github.com/collinsauve/secure-headers-issue-514

collinsauve avatar Apr 22 '24 22:04 collinsauve