From 46ae2b18ea2808eccf3894570dbec46bdb569652 Mon Sep 17 00:00:00 2001
From: Catherine Khuu <catherine.khuu@plated.com>
Date: Thu, 15 Mar 2018 17:29:21 -0400
Subject: Check exclude before flagging cookies as secure in
 ActionDispatch::SSL (#32262)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Check exclude before flagging cookies as secure.

* Update comments in ActionDispatch::SSL.

[Catherine Khuu + Rafael Mendonça França]
---
 actionpack/lib/action_dispatch/middleware/ssl.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 6d9f36ad75..240269d1c7 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -15,6 +15,8 @@ module ActionDispatch
   #
   #      config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
   #
+  #    Cookies will not be flagged as secure for excluded requests.
+  #
   # 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
   #    must not be sent along with +http://+ requests. Enabled by default. Set
   #    +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
@@ -71,7 +73,7 @@ module ActionDispatch
       if request.ssl?
         @app.call(env).tap do |status, headers, body|
           set_hsts_header! headers
-          flag_cookies_as_secure! headers if @secure_cookies
+          flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
         end
       else
         return redirect_to_https request unless @exclude.call(request)
-- 
cgit v1.2.3