mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Added deprecation for older apps
- For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
This commit is contained in:
parent
9ea8de334e
commit
31cf0f5571
2 changed files with 28 additions and 8 deletions
|
@ -40,7 +40,7 @@ module ActionDispatch
|
|||
HSTS_EXPIRES_IN = 15552000
|
||||
|
||||
def self.default_hsts_options
|
||||
{ expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
|
||||
{ expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
|
||||
end
|
||||
|
||||
def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
|
||||
|
@ -57,6 +57,17 @@ module ActionDispatch
|
|||
end
|
||||
|
||||
@secure_cookies = secure_cookies
|
||||
|
||||
if hsts != true && hsts != false && hsts[:subdomains].nil?
|
||||
hsts[:subdomains] = false
|
||||
|
||||
ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
|
||||
In Rails 5.1, HSTS support for subdomains will be turned on by default.
|
||||
Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out
|
||||
of this behavior.
|
||||
end_warning
|
||||
end
|
||||
|
||||
@hsts_header = build_hsts_header(normalize_hsts_options(hsts))
|
||||
end
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ class SSLTest < ActionDispatch::IntegrationTest
|
|||
|
||||
def build_app(headers: {}, ssl_options: {})
|
||||
headers = HEADERS.merge(headers)
|
||||
ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options
|
||||
ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options.reverse_merge(hsts: { subdomains: true })
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -98,15 +98,16 @@ end
|
|||
|
||||
class StrictTransportSecurityTest < SSLTest
|
||||
EXPECTED = 'max-age=15552000'
|
||||
EXPECTED_WITH_SUBDOMAINS = 'max-age=15552000; includeSubDomains'
|
||||
|
||||
def assert_hsts(expected, url: 'https://example.org', hsts: {}, headers: {})
|
||||
def assert_hsts(expected, url: 'https://example.org', hsts: { subdomains: true }, headers: {})
|
||||
self.app = build_app ssl_options: { hsts: hsts }, headers: headers
|
||||
get url
|
||||
assert_equal expected, response.headers['Strict-Transport-Security']
|
||||
end
|
||||
|
||||
test 'enabled by default' do
|
||||
assert_hsts EXPECTED
|
||||
assert_hsts EXPECTED_WITH_SUBDOMAINS
|
||||
end
|
||||
|
||||
test 'not sent with http:// responses' do
|
||||
|
@ -126,11 +127,15 @@ class StrictTransportSecurityTest < SSLTest
|
|||
end
|
||||
|
||||
test ':expires sets max-age' do
|
||||
assert_hsts 'max-age=500', hsts: { expires: 500 }
|
||||
assert_deprecated do
|
||||
assert_hsts 'max-age=500', hsts: { expires: 500 }
|
||||
end
|
||||
end
|
||||
|
||||
test ':expires supports AS::Duration arguments' do
|
||||
assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
|
||||
assert_deprecated do
|
||||
assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
|
||||
end
|
||||
end
|
||||
|
||||
test 'include subdomains' do
|
||||
|
@ -142,11 +147,15 @@ class StrictTransportSecurityTest < SSLTest
|
|||
end
|
||||
|
||||
test 'opt in to browser preload lists' do
|
||||
assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
|
||||
assert_deprecated do
|
||||
assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
|
||||
end
|
||||
end
|
||||
|
||||
test 'opt out of browser preload lists' do
|
||||
assert_hsts EXPECTED, hsts: { preload: false }
|
||||
assert_deprecated do
|
||||
assert_hsts EXPECTED, hsts: { preload: false }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in a new issue