aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/ssl_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* :warning: "Use assert_nil if expecting nil. This will fail in MT6."Akira Matsuda2017-01-181-1/+5
|
* Fix inconsistent results when parsing large durations and constructing ↵Andrey Novikov2017-01-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | durations from code ActiveSupport::Duration.parse('P3Y') == 3.years # It should be true Duration parsing made independent from any moment of time: Fixed length in seconds is assigned to each duration part during parsing. Changed duration of months and years in seconds to more accurate and logical: 1. The value of 365.2425 days in Gregorian year is more accurate as it accounts for every 400th non-leap year. 2. Month's length is bound to year's duration, which makes sensible comparisons like `12.months == 1.year` to be `true` and nonsensical ones like `30.days == 1.month` to be `false`. Calculations on times and dates with durations shouldn't be affected as duration's numeric value isn't used in calculations, only parts are used. Methods on `Numeric` like `2.days` now use these predefined durations to avoid duplicating of duration constants through the codebase and eliminate creation of intermediate durations.
* Remove deprecated code in ssl middlewareRafael Mendonça França2016-10-101-39/+10
|
* Return 307 status instead of 301 when rerouting POST requests to SSLChirag Singhal2016-08-221-0/+14
| | | | | | | | | | | When `config.force_ssl` is set to `true`, any POST/PUT/DELETE requests coming in to non-secure url are being redirected with a 301 status. However, when that happens, the request is converted to a GET request and ends up hitting a different action on the controller. Since we can not do non-GET redirects, we can instead redirect with a 307 status code instead to indicate to the caller that a fresh request should be tried preserving the original request method. `rack-ssl` gem which was used to achieve this before we had this middleware directly baked into Rails also used to do the same, ref: https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L54 This would be specially important for any apps switching from older version of Rails or apps which expose an API through Rails.
* applies remaining conventions across the projectXavier Noria2016-08-061-1/+0
|
* applies new string literal convention in actionpack/testXavier Noria2016-08-061-69/+69
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Rename constrain_to to exclude.Kasper Timm Hansen2016-03-031-4/+4
| | | | | | | | | `ActionDispatch::SSL` redirects all HTTP requests to HTTPS, not just some. The `constrain_to` option inverts this, so it sounds like the middleware only handles a few requests, rather than the majority with a few routes to opt out of the redirect. Renaming to `exclude` matches this intent more closely.
* add `constraint_to` option to SSL middlewareGreg Molnar2016-02-281-0/+7
|
* Added deprecation for older appsPrathamesh Sonpatki2016-02-251-7/+16
| | | | | | | | - For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change.
* Remove splat operator warning from ssl_testPrathamesh Sonpatki2016-01-071-1/+1
| | | | | | - Removes following warning - `rails/actionpack/test/dispatch/ssl_test.rb:203: warning: `*' interpreted as argument prefix`.
* Flexible configuration for ActionDispatch::SSLTim Rogers2015-12-291-15/+30
|
* Make `config.force_ssl` less dangerous to try and easier to disableJeremy Daer2015-09-071-164/+133
| | | | | | | | | | | | | | | | | | | | | | | | SSL redirect: * Move `:host` and `:port` options within `redirect: { … }`. Deprecate. * Introduce `:status` and `:body` to customize the redirect response. The 301 permanent default makes it difficult to test the redirect and back out of it since browsers remember the 301. Test with a 302 or 307 instead, then switch to 301 once you're confident that all is well. HTTP Strict Transport Security (HSTS): * Shorter max-age. Shorten the default max-age from 1 year to 180 days, the low end for https://www.ssllabs.com/ssltest/ grading and greater than the 18-week minimum to qualify for browser preload lists. * Disabling HSTS. Setting `hsts: false` now sets `hsts: { expires: 0 }` instead of omitting the header. Omitting does nothing to disable HSTS since browsers hang on to your previous settings until they expire. Sending `{ hsts: { expires: 0 }}` flushes out old browser settings and actually disables HSTS: http://tools.ietf.org/html/rfc6797#section-6.1.1 * HSTS Preload. Introduce `preload: true` to set the `preload` flag, indicating that your site may be included in browser preload lists, including Chrome, Firefox, Safari, IE11, and Edge. Submit your site: https://hstspreload.appspot.com
* ActionDispatch::SSL should keep original header's behaviorFumiaki MATSUSHIMA2015-06-141-0/+11
| | | | | | `ActionDispatch::SSL` changes headers to `Hash`. So some headers will be broken if there are some middlewares on ActionDispatch::SSL and if it uses `Rack::Utils::HeaderHash`.
* Consistent usage of spaces in hashes across our codebaseRafael Mendonça França2015-01-291-1/+1
|
* Switch to kwargs in ActionController::TestCase and ActionDispatch::IntegrationKir Shatrov2015-01-291-1/+1
| | | | | | | | Non-kwargs requests are deprecated now. Guides are updated as well. `post url, nil, nil, { a: 'b' }` doesn't make sense. `post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
* Avoid URI parsingAndriel Nuernberg2014-04-091-0/+7
| | | | | This parsing is unecessary once the Request object already has the needed information.
* Space is not required for Set-Cookie headerYamagishi Kazutoshi2013-07-051-0/+29
|
* Merge pull request #11069 from ykzts/actiondispatch-ssl-secure-flag-igonore-caseGuillermo Iguaran2013-06-241-0/+14
|\ | | | | Flag cookies as secure with ignore case in ActionDispatch::SSL
| * Flag cookies as secure with ignore case in ActionDispatch::SSLYamagishi Kazutoshi2013-06-241-0/+14
| |
* | ActionDispatch:SSL: don't include STS header in non-https responsesGeoff Buesing2013-06-231-0/+5
|/
* Allow use of durations for ActionDispatch::SSL configurationAndrew White2013-01-041-0/+7
|
* Alias refute methods to assert_not and perfer assert_not on testsRafael Mendonça França2012-12-311-1/+1
|
* Fix secure cookies when there are more than one space before the secureRafael Mendonça França2012-03-191-0/+28
| | | | keyword
* Remove exclude option from ActionDispatch::SSLRafael Mendonça França2012-03-191-6/+0
|
* Some refactoring and update ActionDispatch::SSL code to use the Rack 1.4.xRafael Mendonça França2012-03-171-14/+0
|
* Rack::SSL -> ActionDispatch::SSLRafael Mendonça França2012-03-171-0/+149