mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Check exclude before flagging cookies as secure in ActionDispatch::SSL (#32262)
* Check exclude before flagging cookies as secure. * Update comments in ActionDispatch::SSL. [Catherine Khuu + Rafael Mendonça França]
This commit is contained in:
parent
008538081b
commit
46ae2b18ea
3 changed files with 15 additions and 1 deletions
|
@ -1,3 +1,7 @@
|
|||
* Check exclude before flagging cookies as secure.
|
||||
|
||||
*Catherine Khuu*
|
||||
|
||||
* Rails 6 requires Ruby 2.4.1 or newer.
|
||||
|
||||
*Jeremy Daer*
|
||||
|
|
|
@ -15,6 +15,8 @@ module ActionDispatch
|
|||
#
|
||||
# config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
|
||||
#
|
||||
# Cookies will not be flagged as secure for excluded requests.
|
||||
#
|
||||
# 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
|
||||
# must not be sent along with +http://+ requests. Enabled by default. Set
|
||||
# +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
|
||||
|
@ -71,7 +73,7 @@ module ActionDispatch
|
|||
if request.ssl?
|
||||
@app.call(env).tap do |status, headers, body|
|
||||
set_hsts_header! headers
|
||||
flag_cookies_as_secure! headers if @secure_cookies
|
||||
flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
|
||||
end
|
||||
else
|
||||
return redirect_to_https request unless @exclude.call(request)
|
||||
|
|
|
@ -208,6 +208,14 @@ class SecureCookiesTest < SSLTest
|
|||
assert_cookies(*DEFAULT.split("\n"))
|
||||
end
|
||||
|
||||
def test_cookies_as_not_secure_with_exclude
|
||||
excluding = { exclude: -> request { request.domain =~ /example/ } }
|
||||
get headers: { "Set-Cookie" => DEFAULT }, ssl_options: { redirect: excluding }
|
||||
|
||||
assert_cookies(*DEFAULT.split("\n"))
|
||||
assert_response :ok
|
||||
end
|
||||
|
||||
def test_no_cookies
|
||||
get
|
||||
assert_nil response.headers["Set-Cookie"]
|
||||
|
|
Loading…
Reference in a new issue