Remove secure_headers gem (LG-6184)#6234
Conversation
|
@mitchellhenke @aduth testing in my personal environment, I got some CORS errors... can one of you confirm my understanding that it's probably not related to these changes? Since the headers need to be set on the resource, so on CDN/S3 side instead of the IDP... something else in my environment must be off?
|
|
Confirmed that, other than above font issue, this works in a deployed environment with the mobile SDK |
**Why**: Tests run without ActionDispatch::SSL middleware so we test it directly
changelog: Internal, Dependencies, Remove secure_headers gem to leverage newer Rails features
| _status, headers, _body = ssl_middleware.call(request) | ||
|
|
||
| expect(headers['Strict-Transport-Security']). | ||
| to eq('max-age=31556952; includeSubDomains; preload') |
There was a problem hiding this comment.
- this is slightly different than the
31536000is the old test, but I figured it was close enough - I create this new test here, since the SSL middleware is not added to tests by default, the old request specs didn't exercise it. I couldn't figure out a nice way to add the SSL middleware for just that test, so I went with this approach of just testing the middleware directly with our app's config
Seems similar to an issue I'd once reported on Slack that couldn't be repro'd by others. FWIW, I couldn't see any CORS errors while navigating your sandbox. But yeah, I would sorta assume it's something configured on the CDN side of things. |
5 participants
Previous PRs have added replacement functionality for the things we care about from this gem and added regression specs:
secureandhttponlyattributesI am going to deploy this to my personal environment to make sure it doesn't break using the acuant SDK on mobile