From 31cf0f5571cd845eec8ddbe190ba960d5823ffbc Mon Sep 17 00:00:00 2001 From: Prathamesh Sonpatki Date: Thu, 25 Feb 2016 10:18:53 +0530 Subject: Added deprecation for older apps - For old apps which are not setting any value for hsts[:subdomains], a deprecation warning will be shown saying that hsts[:subdomains] will be turned on by default in Rails 5.1. Currently it will be set to false for backward compatibility. - Adjusted tests to reflect this change. --- actionpack/lib/action_dispatch/middleware/ssl.rb | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'actionpack/lib/action_dispatch') diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb index 823cefe957..b2383385c5 100644 --- a/actionpack/lib/action_dispatch/middleware/ssl.rb +++ b/actionpack/lib/action_dispatch/middleware/ssl.rb @@ -40,7 +40,7 @@ module ActionDispatch HSTS_EXPIRES_IN = 15552000 def self.default_hsts_options - { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false } + { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false } end def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options) @@ -57,6 +57,17 @@ module ActionDispatch end @secure_cookies = secure_cookies + + if hsts != true && hsts != false && hsts[:subdomains].nil? + hsts[:subdomains] = false + + ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc + In Rails 5.1, HSTS support for subdomains will be turned on by default. + Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out + of this behavior. + end_warning + end + @hsts_header = build_hsts_header(normalize_hsts_options(hsts)) end -- cgit v1.2.3