make _profilin cookie httpOnly and secure if request is over ssl (#357)

make _profilin cookie httpOnly and secure if request is over ssl (#357)
From 2a545531a1352f8f091817c6ff925c58fd124bb7 Mon Sep 17 00:00:00 2001
From: Greg Molnar <gregmolnar@users.noreply.github.com>
Date: Mon, 30 Jul 2018 08:19:03 +0200
Subject: [PATCH] make _profilin cookie httpOnly and secure if request is over
 ssl (#357)


diff --git a/lib/mini_profiler/client_settings.rb b/lib/mini_profiler/client_settings.rb
index 700e989..fab1081 100644
--- a/lib/mini_profiler/client_settings.rb
+++ b/lib/mini_profiler/client_settings.rb
@@ -15,8 +15,8 @@ module Rack
 
 
       def initialize(env, store, start)
-        request = ::Rack::Request.new(env)
-        @cookie = request.cookies[COOKIE_NAME]
+        @request = ::Rack::Request.new(env)
+        @cookie = @request.cookies[COOKIE_NAME]
         @store = store
         @start = start
         @backtrace_level = nil
@@ -74,9 +74,10 @@ module Rack
           settings["dp"] = "t"                  if @disable_profiling
           settings["bt"] = @backtrace_level     if @backtrace_level
           settings["a"] = @allowed_tokens.join("|") if @allowed_tokens && MiniProfiler.request_authorized?
-
           settings_string = settings.map{|k,v| "#{k}=#{v}"}.join(",")
-          Rack::Utils.set_cookie_header!(headers, COOKIE_NAME, :value => settings_string, :path => '/')
+          cookie = { :value => settings_string, :path => '/', :httponly => true }
+          cookie[:secure] = true if @request.ssl?
+          Rack::Utils.set_cookie_header!(headers, COOKIE_NAME, cookie)
         end
       end

GitHub