aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack')
-rw-r--r--actionpack/CHANGELOG.md8
-rw-r--r--actionpack/lib/action_dispatch/middleware/ssl.rb24
-rw-r--r--actionpack/test/dispatch/ssl_test.rb49
3 files changed, 21 insertions, 60 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 81b3ed551f..4cb56160fd 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,11 @@
+* Change HSTS subdomain to true.
+
+ *Rafael Mendonça França*
+
+* Remove deprecated `host` and `port` ssl options.
+
+ *Rafael Mendonça França*
+
* Remove deprecated `const_error` argument in
`ActionDispatch::Session::SessionRestoreError#initialize`.
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 992daab3aa..c9bd417aa2 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -45,35 +45,17 @@ module ActionDispatch
HSTS_EXPIRES_IN = 15552000
def self.default_hsts_options
- { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
+ { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
end
- def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
+ def initialize(app, redirect: {}, hsts: {}, secure_cookies: true)
@app = app
- if options[:host] || options[:port]
- ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
- The `:host` and `:port` options are moving within `:redirect`:
- `config.ssl_options = { redirect: { host: …, port: … } }`.
- end_warning
- @redirect = options.slice(:host, :port)
- else
- @redirect = redirect
- end
+ @redirect = redirect
@exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
@secure_cookies = secure_cookies
- if hsts != true && hsts != false && hsts[:subdomains].nil?
- hsts[:subdomains] = false
-
- ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
- In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
- unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out
- of this behavior.
- end_warning
- end
-
@hsts_header = build_hsts_header(normalize_hsts_options(hsts))
end
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index 71b274bf1e..e29ffa750c 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -12,25 +12,16 @@ class SSLTest < ActionDispatch::IntegrationTest
end
class RedirectSSLTest < SSLTest
- def assert_not_redirected(url, headers: {}, redirect: {}, deprecated_host: nil,
- deprecated_port: nil)
-
- self.app = build_app ssl_options: { redirect: redirect,
- host: deprecated_host, port: deprecated_port
- }
-
+ def assert_not_redirected(url, headers: {}, redirect: {})
+ self.app = build_app ssl_options: { redirect: redirect }
get url, headers: headers
assert_response :ok
end
- def assert_redirected(redirect: {}, deprecated_host: nil, deprecated_port: nil,
- from: "http://a/b?c=d", to: from.sub("http", "https"))
-
+ def assert_redirected(redirect: {}, from: "http://a/b?c=d", to: from.sub("http", "https"))
redirect = { status: 301, body: [] }.merge(redirect)
- self.app = build_app ssl_options: { redirect: redirect,
- host: deprecated_host, port: deprecated_port
- }
+ self.app = build_app ssl_options: { redirect: redirect }
get from
assert_response redirect[:status] || 301
@@ -99,18 +90,6 @@ class RedirectSSLTest < SSLTest
assert_redirected redirect: { host: "ssl:443" }, to: "https://ssl:443/b?c=d"
end
- test ":host is deprecated, moved within redirect: { host: … }" do
- assert_deprecated do
- assert_redirected deprecated_host: "foo", to: "https://foo/b?c=d"
- end
- end
-
- test ":port is deprecated, moved within redirect: { port: … }" do
- assert_deprecated do
- assert_redirected deprecated_port: 1, to: "https://a:1/b?c=d"
- end
- end
-
test "no redirect with redirect set to false" do
assert_not_redirected "http://example.org", redirect: false
end
@@ -139,23 +118,19 @@ class StrictTransportSecurityTest < SSLTest
end
test "hsts: true enables default settings" do
- assert_hsts EXPECTED, hsts: true
+ assert_hsts EXPECTED_WITH_SUBDOMAINS, hsts: true
end
test "hsts: false sets max-age to zero, clearing browser HSTS settings" do
- assert_hsts "max-age=0", hsts: false
+ assert_hsts "max-age=0; includeSubDomains", hsts: false
end
test ":expires sets max-age" do
- assert_deprecated do
- assert_hsts "max-age=500", hsts: { expires: 500 }
- end
+ assert_hsts "max-age=500; includeSubDomains", hsts: { expires: 500 }
end
test ":expires supports AS::Duration arguments" do
- assert_deprecated do
- assert_hsts "max-age=31557600", hsts: { expires: 1.year }
- end
+ assert_hsts "max-age=31557600; includeSubDomains", hsts: { expires: 1.year }
end
test "include subdomains" do
@@ -167,15 +142,11 @@ class StrictTransportSecurityTest < SSLTest
end
test "opt in to browser preload lists" do
- assert_deprecated do
- assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
- end
+ assert_hsts "#{EXPECTED_WITH_SUBDOMAINS}; preload", hsts: { preload: true }
end
test "opt out of browser preload lists" do
- assert_deprecated do
- assert_hsts EXPECTED, hsts: { preload: false }
- end
+ assert_hsts EXPECTED_WITH_SUBDOMAINS, hsts: { preload: false }
end
end