1
0
Fork 0
mirror of https://github.com/sinatra/sinatra synced 2023-03-27 23:18:01 -04:00

Don't track the Accept-Language header by default.

Some modern browsers (e.g., Safari 12, Chrome 71) don't set the
Accept-Language header for websocket requests. A mixture of
requests with and without this header results in unavailable
sessions in websocket handlers due to the built-in Firesheep
protection.

The existing default is inappropriate for any applications
employing Rack sessions for websocket connections.
This commit is contained in:
Artem Chistyakov 2018-12-14 12:15:33 -05:00
parent 5d3099ee3b
commit 6cf49c8855
2 changed files with 1 additions and 22 deletions

View file

@ -14,7 +14,7 @@ module Rack
class SessionHijacking < Base
default_reaction :drop_session
default_options :tracking_key => :tracking, :encrypt_tracking => true,
:track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
:track => %w[HTTP_USER_AGENT]
def accepts?(env)
session = session env

View file

@ -23,27 +23,6 @@ describe Rack::Protection::SessionHijacking do
expect(session).not_to be_empty
end
it "denies requests with a changing Accept-Language header" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
expect(session).to be_empty
end
it "accepts requests with the same Accept-Language header" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
expect(session).not_to be_empty
end
it "comparison of Accept-Language header is not case sensitive" do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
expect(session).not_to be_empty
end
it "accepts requests with a changing Version header"do
session = {:foo => :bar}
get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'