7.2 release

lib/secure_headers/middleware.rb

@@ -9,6 +9,7 @@ def initialize(app)
     def call(env)
       req = Rack::Request.new(env)
       status, headers, response = @app.call(env)
+      headers = Rack::Headers[headers]
 
       config = SecureHeaders.config_for(req)
       flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
@@ -20,14 +21,12 @@ def call(env)
 
     # inspired by https://github.com/tobmatth/rack-ssl-enforcer/blob/6c014/lib/rack/ssl-enforcer.rb#L183-L194
     def flag_cookies!(headers, config)
-      if cookies = headers["Set-Cookie"]
-        # Support Rails 2.3 / Rack 1.1 arrays as headers
-        cookies = cookies.split("\n") unless cookies.is_a?(Array)
+      cookies = headers["Set-Cookie"]
+      return unless cookies
 
-        headers["Set-Cookie"] = cookies.map do |cookie|
-          SecureHeaders::Cookie.new(cookie, config).to_s
-        end.join("\n")
-      end
+      cookies_array = cookies.is_a?(Array) ? cookies : cookies.split("\n")
+      secured_cookies = cookies_array.map { |cookie| SecureHeaders::Cookie.new(cookie, config).to_s }
+      headers["Set-Cookie"] = cookies.is_a?(Array) ? secured_cookies : secured_cookies.join("\n")
     end
 
     # disable Secure cookies for non-https requests

lib/secure_headers/railtie.rb

@@ -22,9 +22,12 @@ class Railtie < Rails::Railtie
         ActiveSupport.on_load(:action_controller) do
           include SecureHeaders
 
-          unless Rails.application.config.action_dispatch.default_headers.nil?
-            conflicting_headers.each do |header|
-              Rails.application.config.action_dispatch.default_headers.delete(header)
+          default_headers = Rails.application.config.action_dispatch.default_headers
+          unless default_headers.nil?
+            default_headers.each_key do |header|
+              if conflicting_headers.include?(header.downcase)
+                default_headers.delete(header)
+              end
             end
           end
         end

spec/lib/secure_headers/middleware_spec.rb

@@ -83,7 +83,7 @@ module SecureHeaders
       end
 
       it "flags cookies with a combination of SameSite configurations" do
-        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => ["_session=foobar", "_guest=true"]), "app"] })
+        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => "_session=foobar\n_guest=true"), "app"] })
 
         Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } }, httponly: OPT_OUT, secure: OPT_OUT } }
         request = Rack::Request.new("HTTPS" => "on")
@@ -93,6 +93,16 @@ module SecureHeaders
         expect(env["Set-Cookie"]).to match("_guest=true; SameSite=Lax")
       end
 
+      it "keeps cookies as array after flagging if they are already an array" do
+        cookie_middleware = Middleware.new(lambda { |env| [200, env.merge("Set-Cookie" => ["_session=foobar", "_guest=true"]), "app"] })
+
+        Configuration.default { |config| config.cookies = { samesite: { lax: { except: ["_session"] }, strict: { only: ["_session"] } }, httponly: OPT_OUT, secure: OPT_OUT } }
+        request = Rack::Request.new("HTTPS" => "on")
+        _, env = cookie_middleware.call request.env
+
+        expect(env["Set-Cookie"]).to match_array(["_session=foobar; SameSite=Strict", "_guest=true; SameSite=Lax"])
+      end
+
       it "disables secure cookies for non-https requests" do
         Configuration.default { |config| config.cookies = { secure: true, httponly: OPT_OUT, samesite: OPT_OUT } }