diff options
| -rw-r--r-- | actionpack/CHANGELOG.md | 8 | ||||
| -rw-r--r-- | actionpack/lib/action_dispatch/middleware/ssl.rb | 24 | ||||
| -rw-r--r-- | actionpack/test/dispatch/ssl_test.rb | 49 | ||||
| -rw-r--r-- | railties/test/application/middleware_test.rb | 4 |
4 files changed, 23 insertions, 62 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 81b3ed551f..4cb56160fd 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,3 +1,11 @@ +* Change HSTS subdomain to true. + + *Rafael Mendonça França* + +* Remove deprecated `host` and `port` ssl options. + + *Rafael Mendonça França* + * Remove deprecated `const_error` argument in `ActionDispatch::Session::SessionRestoreError#initialize`. diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index 992daab3aa..c9bd417aa2 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -45,35 +45,17 @@ module ActionDispatch HSTS_EXPIRES_IN = 15552000 def self.default_hsts_options - { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false } + { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false } end - def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options) + def initialize(app, redirect: {}, hsts: {}, secure_cookies: true) @app = app - if options[:host] || options[:port] - ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc - The `:host` and `:port` options are moving within `:redirect`: - `config.ssl_options = { redirect: { host: …, port: … } }`. - end_warning - @redirect = options.slice(:host, :port) - else - @redirect = redirect - end + @redirect = redirect @exclude = @redirect && @redirect[:exclude] || proc { !@redirect } @secure_cookies = secure_cookies - if hsts != true && hsts != false && hsts[:subdomains].nil? - hsts[:subdomains] = false - - ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc - In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if - unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out - of this behavior. - end_warning - end - @hsts_header = build_hsts_header(normalize_hsts_options(hsts)) end diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb index 71b274bf1e..e29ffa750c 100644 --- a/actionpack/test/dispatch/ssl_test.rb +++ b/actionpack/test/dispatch/ssl_test.rb @@ -12,25 +12,16 @@ class SSLTest < ActionDispatch::IntegrationTest end class RedirectSSLTest < SSLTest - def assert_not_redirected(url, headers: {}, redirect: {}, deprecated_host: nil, - deprecated_port: nil) - - self.app = build_app ssl_options: { redirect: redirect, - host: deprecated_host, port: deprecated_port - } - + def assert_not_redirected(url, headers: {}, redirect: {}) + self.app = build_app ssl_options: { redirect: redirect } get url, headers: headers assert_response :ok end - def assert_redirected(redirect: {}, deprecated_host: nil, deprecated_port: nil, - from: "http://a/b?c=d", to: from.sub("http", "https")) - + def assert_redirected(redirect: {}, from: "http://a/b?c=d", to: from.sub("http", "https")) redirect = { status: 301, body: [] }.merge(redirect) - self.app = build_app ssl_options: { redirect: redirect, - host: deprecated_host, port: deprecated_port - } + self.app = build_app ssl_options: { redirect: redirect } get from assert_response redirect[:status] || 301 @@ -99,18 +90,6 @@ class RedirectSSLTest < SSLTest assert_redirected redirect: { host: "ssl:443" }, to: "https://ssl:443/b?c=d" end - test ":host is deprecated, moved within redirect: { host: … }" do - assert_deprecated do - assert_redirected deprecated_host: "foo", to: "https://foo/b?c=d" - end - end - - test ":port is deprecated, moved within redirect: { port: … }" do - assert_deprecated do - assert_redirected deprecated_port: 1, to: "https://a:1/b?c=d" - end - end - test "no redirect with redirect set to false" do assert_not_redirected "http://example.org", redirect: false end @@ -139,23 +118,19 @@ class StrictTransportSecurityTest < SSLTest end test "hsts: true enables default settings" do - assert_hsts EXPECTED, hsts: true + assert_hsts EXPECTED_WITH_SUBDOMAINS, hsts: true end test "hsts: false sets max-age to zero, clearing browser HSTS settings" do - assert_hsts "max-age=0", hsts: false + assert_hsts "max-age=0; includeSubDomains", hsts: false end test ":expires sets max-age" do - assert_deprecated do - assert_hsts "max-age=500", hsts: { expires: 500 } - end + assert_hsts "max-age=500; includeSubDomains", hsts: { expires: 500 } end test ":expires supports AS::Duration arguments" do - assert_deprecated do - assert_hsts "max-age=31557600", hsts: { expires: 1.year } - end + assert_hsts "max-age=31557600; includeSubDomains", hsts: { expires: 1.year } end test "include subdomains" do @@ -167,15 +142,11 @@ class StrictTransportSecurityTest < SSLTest end test "opt in to browser preload lists" do - assert_deprecated do - assert_hsts "#{EXPECTED}; preload", hsts: { preload: true } - end + assert_hsts "#{EXPECTED_WITH_SUBDOMAINS}; preload", hsts: { preload: true } end test "opt out of browser preload lists" do - assert_deprecated do - assert_hsts EXPECTED, hsts: { preload: false } - end + assert_hsts EXPECTED_WITH_SUBDOMAINS, hsts: { preload: false } end end diff --git a/railties/test/application/middleware_test.rb b/railties/test/application/middleware_test.rb index f53c93290c..9baf7360a5 100644 --- a/railties/test/application/middleware_test.rb +++ b/railties/test/application/middleware_test.rb @@ -100,10 +100,10 @@ module ApplicationTests test "ActionDispatch::SSL is configured with options when given" do add_to_config "config.force_ssl = true" - add_to_config "config.ssl_options = { host: 'example.com' }" + add_to_config "config.ssl_options = { redirect: { host: 'example.com' } }" boot! - assert_equal [{ host: "example.com" }], Rails.application.middleware.first.args + assert_equal [{ redirect: { host: "example.com" } }], Rails.application.middleware.first.args end test "removing Active Record omits its middleware" do |