diff options
| author | Catherine Khuu <catherine.khuu@plated.com> | 2018-03-15 17:29:21 -0400 |
|---|---|---|
| committer | Rafael França <rafaelmfranca@gmail.com> | 2018-03-15 17:29:21 -0400 |
| commit | 46ae2b18ea2808eccf3894570dbec46bdb569652 (patch) | |
| tree | edf3272548f1874f455742c701e44086aa4cf15f /actionpack/lib | |
| parent | 008538081b87940ad1a4fd29df730ec5d0421ee5 (diff) | |
| download | rails-46ae2b18ea2808eccf3894570dbec46bdb569652.tar.gz rails-46ae2b18ea2808eccf3894570dbec46bdb569652.tar.bz2 rails-46ae2b18ea2808eccf3894570dbec46bdb569652.zip | |
Check exclude before flagging cookies as secure in ActionDispatch::SSL (#32262)
* Check exclude before flagging cookies as secure.
* Update comments in ActionDispatch::SSL.
[Catherine Khuu + Rafael Mendonça França]
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index 6d9f36ad75..240269d1c7 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -15,6 +15,8 @@ module ActionDispatch # # config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } } # + # Cookies will not be flagged as secure for excluded requests. + # # 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they # must not be sent along with +http://+ requests. Enabled by default. Set # +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature. @@ -71,7 +73,7 @@ module ActionDispatch if request.ssl? @app.call(env).tap do |status, headers, body| set_hsts_header! headers - flag_cookies_as_secure! headers if @secure_cookies + flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request) end else return redirect_to_https request unless @exclude.call(request) |