From 6eb3a1b0587cbad20b180a9d6c7b3a5fbcc91e8b Mon Sep 17 00:00:00 2001
From: Egor Homakov <homakov@gmail.com>
Date: Fri, 18 Dec 2015 16:19:49 +0300
Subject: HSTS without IncludeSubdomains is often useless

1) Because if you forget to add Secure; to the session cookie, it will leak to http:// subdomain in some cases
2) Because http:// subdomain can Cookie Bomb/cookie force main domain or be used for phishing.

That's why *by default* it must include subdomains as it's much more common scenario. Very few websites *intend* to leave their blog.app.com working over http:// while having everything else encrypted.

Yes, many developers forget to add subdomains=true by default, believe me :)
---
 actionpack/lib/action_dispatch/middleware/ssl.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 735b5939dd..823cefe957 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -40,7 +40,7 @@ module ActionDispatch
     HSTS_EXPIRES_IN = 15552000
 
     def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
     end
 
     def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
-- 
cgit v1.2.3


From 31cf0f5571cd845eec8ddbe190ba960d5823ffbc Mon Sep 17 00:00:00 2001
From: Prathamesh Sonpatki <csonpatki@gmail.com>
Date: Thu, 25 Feb 2016 10:18:53 +0530
Subject: Added deprecation for older apps

- For old apps which are not setting any value for hsts[:subdomains],
  a deprecation warning will be shown saying that hsts[:subdomains] will
  be turned on by default in Rails 5.1. Currently it will be set to
  false for backward compatibility.
- Adjusted tests to reflect this change.
---
 actionpack/lib/action_dispatch/middleware/ssl.rb | 13 ++++++++++++-
 actionpack/test/dispatch/ssl_test.rb             | 23 ++++++++++++++++-------
 2 files changed, 28 insertions(+), 8 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 823cefe957..b2383385c5 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -40,7 +40,7 @@ module ActionDispatch
     HSTS_EXPIRES_IN = 15552000
 
     def self.default_hsts_options
-      { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
+      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
     end
 
     def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
@@ -57,6 +57,17 @@ module ActionDispatch
       end
 
       @secure_cookies = secure_cookies
+
+      if hsts != true && hsts != false && hsts[:subdomains].nil?
+        hsts[:subdomains] = false
+
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          In Rails 5.1, HSTS support for subdomains will be turned on by default.
+          Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out
+          of this behavior.
+        end_warning
+      end
+
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index c66a0e6a7a..18ff894b31 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -7,7 +7,7 @@ class SSLTest < ActionDispatch::IntegrationTest
 
   def build_app(headers: {}, ssl_options: {})
     headers = HEADERS.merge(headers)
-    ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options
+    ActionDispatch::SSL.new lambda { |env| [200, headers, []] }, ssl_options.reverse_merge(hsts: { subdomains: true })
   end
 end
 
@@ -98,15 +98,16 @@ end
 
 class StrictTransportSecurityTest < SSLTest
   EXPECTED = 'max-age=15552000'
+  EXPECTED_WITH_SUBDOMAINS = 'max-age=15552000; includeSubDomains'
 
-  def assert_hsts(expected, url: 'https://example.org', hsts: {}, headers: {})
+  def assert_hsts(expected, url: 'https://example.org', hsts: { subdomains: true }, headers: {})
     self.app = build_app ssl_options: { hsts: hsts }, headers: headers
     get url
     assert_equal expected, response.headers['Strict-Transport-Security']
   end
 
   test 'enabled by default' do
-    assert_hsts EXPECTED
+    assert_hsts EXPECTED_WITH_SUBDOMAINS
   end
 
   test 'not sent with http:// responses' do
@@ -126,11 +127,15 @@ class StrictTransportSecurityTest < SSLTest
   end
 
   test ':expires sets max-age' do
-    assert_hsts 'max-age=500', hsts: { expires: 500 }
+    assert_deprecated do
+      assert_hsts 'max-age=500', hsts: { expires: 500 }
+    end
   end
 
   test ':expires supports AS::Duration arguments' do
-    assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
+    assert_deprecated do
+      assert_hsts 'max-age=31557600', hsts: { expires: 1.year }
+    end
   end
 
   test 'include subdomains' do
@@ -142,11 +147,15 @@ class StrictTransportSecurityTest < SSLTest
   end
 
   test 'opt in to browser preload lists' do
-    assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
+    assert_deprecated do
+      assert_hsts "#{EXPECTED}; preload", hsts: { preload: true }
+    end
   end
 
   test 'opt out of browser preload lists' do
-    assert_hsts EXPECTED, hsts: { preload: false }
+    assert_deprecated do
+      assert_hsts EXPECTED, hsts: { preload: false }
+    end
   end
 end
 
-- 
cgit v1.2.3


From 4e92fb2097073ba788acbca00a232d07c8b14633 Mon Sep 17 00:00:00 2001
From: Prathamesh Sonpatki <csonpatki@gmail.com>
Date: Thu, 25 Feb 2016 10:37:08 +0530
Subject: Update documentation and deprecation message

---
 actionpack/lib/action_dispatch/middleware/ssl.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index b2383385c5..d6a0fe650c 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -23,7 +23,7 @@ module ActionDispatch
   #     preload lists is `18.weeks`.
   #   * `subdomains`: Set to `true` to tell the browser to apply these settings
   #     to all subdomains. This protects your cookies from interception by a
-  #     vulnerable site on a subdomain. Defaults to `false`.
+  #     vulnerable site on a subdomain. Defaults to `true`.
   #   * `preload`: Advertise that this site may be included in browsers'
   #     preloaded HSTS lists. HSTS protects your site on every visit *except the
   #     first visit* since it hasn't seen your HSTS header yet. To close this
@@ -62,8 +62,8 @@ module ActionDispatch
         hsts[:subdomains] = false
 
         ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
-          In Rails 5.1, HSTS support for subdomains will be turned on by default.
-          Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out
+          In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
+          unspecified. Set `config.ssl_options = { hsts: { subdomains: false }}` to opt out
           of this behavior.
         end_warning
       end
-- 
cgit v1.2.3