diff options
| author | Catherine Khuu <catherine.khuu@plated.com> | 2018-03-15 17:29:21 -0400 |
|---|---|---|
| committer | Rafael França <rafaelmfranca@gmail.com> | 2018-03-15 17:29:21 -0400 |
| commit | 46ae2b18ea2808eccf3894570dbec46bdb569652 (patch) | |
| tree | edf3272548f1874f455742c701e44086aa4cf15f /actionpack | |
| parent | 008538081b87940ad1a4fd29df730ec5d0421ee5 (diff) | |
| download | rails-46ae2b18ea2808eccf3894570dbec46bdb569652.tar.gz rails-46ae2b18ea2808eccf3894570dbec46bdb569652.tar.bz2 rails-46ae2b18ea2808eccf3894570dbec46bdb569652.zip | |
Check exclude before flagging cookies as secure in ActionDispatch::SSL (#32262)
* Check exclude before flagging cookies as secure.
* Update comments in ActionDispatch::SSL.
[Catherine Khuu + Rafael Mendonça França]
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG.md | 4 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/dispatch/ssl_test.rb | 8 |
3 files changed, 15 insertions, 1 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 61451dd673..5223d7848f 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,7 @@ +* Check exclude before flagging cookies as secure. + + *Catherine Khuu* + * Rails 6 requires Ruby 2.4.1 or newer. *Jeremy Daer* diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index 6d9f36ad75..240269d1c7 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -15,6 +15,8 @@ module ActionDispatch # # config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } } # + # Cookies will not be flagged as secure for excluded requests. + # # 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they # must not be sent along with +http://+ requests. Enabled by default. Set # +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature. @@ -71,7 +73,7 @@ module ActionDispatch if request.ssl? @app.call(env).tap do |status, headers, body| set_hsts_header! headers - flag_cookies_as_secure! headers if @secure_cookies + flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request) end else return redirect_to_https request unless @exclude.call(request) diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb index 90f2ee46ea..baf46e7c7e 100644 --- a/actionpack/test/dispatch/ssl_test.rb +++ b/actionpack/test/dispatch/ssl_test.rb @@ -208,6 +208,14 @@ class SecureCookiesTest < SSLTest assert_cookies(*DEFAULT.split("\n")) end + def test_cookies_as_not_secure_with_exclude + excluding = { exclude: -> request { request.domain =~ /example/ } } + get headers: { "Set-Cookie" => DEFAULT }, ssl_options: { redirect: excluding } + + assert_cookies(*DEFAULT.split("\n")) + assert_response :ok + end + def test_no_cookies get assert_nil response.headers["Set-Cookie"] |