kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

ActionDispatch:SSL: don't include STS header in non-https responses

Browse source
This commit is contained in:
Geoff Buesing 2013-06-23 19:58:02 -05:00
parent 11ac1e8a2c
commit d8bf1f22de
2 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
actionpack/lib/action_dispatch/middleware/ssl.rb
View file

@ -36,8 +36,7 @@ module ActionDispatch
url.scheme = "https"
url.host = @host if @host
url.port = @port if @port
headers = hsts_headers.merge('Content-Type' => 'text/html',
'Location' => url.to_s)
headers = { 'Content-Type' => 'text/html', 'Location' => url.to_s }
[301, headers, []]
end

5
actionpack/test/dispatch/ssl_test.rb
View file

@ -37,6 +37,11 @@ class SSLTest < ActionDispatch::IntegrationTest
response.headers['Strict-Transport-Security']
end
def test_no_hsts_with_insecure_connection
get "http://example.org/"
assert_not response.headers['Strict-Transport-Security']
end
def test_hsts_header
self.app = ActionDispatch::SSL.new(default_app, :hsts => true)
get "https://example.org/"