From 6cf49c885554fa6265f119e6ad5b8d3707c22f64 Mon Sep 17 00:00:00 2001 From: Artem Chistyakov Date: Fri, 14 Dec 2018 12:15:33 -0500 Subject: [PATCH] Don't track the Accept-Language header by default. Some modern browsers (e.g., Safari 12, Chrome 71) don't set the Accept-Language header for websocket requests. A mixture of requests with and without this header results in unavailable sessions in websocket handlers due to the built-in Firesheep protection. The existing default is inappropriate for any applications employing Rack sessions for websocket connections. --- .../lib/rack/protection/session_hijacking.rb | 2 +- .../rack/protection/session_hijacking_spec.rb | 21 ------------------- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/rack-protection/lib/rack/protection/session_hijacking.rb b/rack-protection/lib/rack/protection/session_hijacking.rb index 4ab047a1..a7dd54b7 100644 --- a/rack-protection/lib/rack/protection/session_hijacking.rb +++ b/rack-protection/lib/rack/protection/session_hijacking.rb @@ -14,7 +14,7 @@ module Rack class SessionHijacking < Base default_reaction :drop_session default_options :tracking_key => :tracking, :encrypt_tracking => true, - :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE] + :track => %w[HTTP_USER_AGENT] def accepts?(env) session = session env diff --git a/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb b/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb index 2e5bfab5..11d655c5 100644 --- a/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb +++ b/rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb @@ -23,27 +23,6 @@ describe Rack::Protection::SessionHijacking do expect(session).not_to be_empty end - it "denies requests with a changing Accept-Language header" do - session = {:foo => :bar} - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b' - expect(session).to be_empty - end - - it "accepts requests with the same Accept-Language header" do - session = {:foo => :bar} - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - expect(session).not_to be_empty - end - - it "comparison of Accept-Language header is not case sensitive" do - session = {:foo => :bar} - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a' - get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A' - expect(session).not_to be_empty - end - it "accepts requests with a changing Version header"do session = {:foo => :bar} get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'