Added deprecation for older apps

- For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
2022-11-09 12:12:34 -05:00 · 2016-02-25 10:18:53 +05:30 · 2016-02-25 10:18:53 +05:30 · 31cf0f5571
commit 31cf0f5571
parent 9ea8de334e
2 changed files with 28 additions and 8 deletions
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@ -40,7 +40,7 @@ module ActionDispatch
    HSTS_EXPIRES_IN = 15552000

    def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
    end

    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
@ -57,6 +57,17 @@ module ActionDispatch
      end

      @secure_cookies = secure_cookies
+
+      if hsts != true && hsts != false && hsts[:subdomains].nil?
+        hsts[:subdomains] = false
+
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          In Rails 5.1, HSTS support for subdomains will be turned on by default.
+          Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out
+          of this behavior.
+        end_warning
+      end
+
      @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
    end

--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@ -7,7 +7,7 @@ class SSLTest < ActionDispatch::IntegrationTest

  def build_app(headers: {}, ssl_options: {})
    headers = HEADERS.merge(headers)
-    ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options
+    ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options.reverse_merge(hsts: { subdomains: true })
  end
 end

@ -98,15 +98,16 @@ end

 class StrictTransportSecurityTest < SSLTest
  EXPECTED = 'max-age=15552000'
+  EXPECTED_WITH_SUBDOMAINS = 'max-age=15552000; includeSubDomains'

-  def assert_hsts(expected, url: 'https://example.org', hsts: {}, headers: {})
+  def assert_hsts(expected, url: 'https://example.org', hsts: { subdomains: true }, headers: {})
    self.app = build_app ssl_options: { hsts: hsts }, headers: headers
    get url
    assert_equal expected, response.headers['Strict-Transport-Security']
  end

  test 'enabled by default' do
-    assert_hsts EXPECTED
+    assert_hsts EXPECTED_WITH_SUBDOMAINS
  end

  test 'not sent with http:// responses' do
@ -126,11 +127,15 @@ class StrictTransportSecurityTest < SSLTest
  end

  test ':expires sets max-age' do
-    assert_hsts 'max-age=500', hsts: { expires: 500 }
+    assert_deprecated do
+      assert_hsts 'max-age=500', hsts: { expires: 500 }
+    end
  end

  test ':expires supports AS::Duration arguments' do
-    assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
+    assert_deprecated do
+      assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
+    end
  end

  test 'include subdomains' do
@ -142,11 +147,15 @@ class StrictTransportSecurityTest < SSLTest
  end

  test 'opt in to browser preload lists' do
-    assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
+    assert_deprecated do
+      assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
+    end
  end

  test 'opt out of browser preload lists' do
-    assert_hsts EXPECTED, hsts: { preload: false }
+    assert_deprecated do
+      assert_hsts EXPECTED, hsts: { preload: false }
+    end
  end
 end