Check exclude before flagging cookies as secure in ActionDispatch::SSL (#32262)
* Check exclude before flagging cookies as secure. * Update comments in ActionDispatch::SSL. [Catherine Khuu + Rafael Mendonça França]
This commit is contained in:
parent
008538081b
commit
46ae2b18ea
@ -1,3 +1,7 @@
|
|||||||
|
* Check exclude before flagging cookies as secure.
|
||||||
|
|
||||||
|
*Catherine Khuu*
|
||||||
|
|
||||||
* Rails 6 requires Ruby 2.4.1 or newer.
|
* Rails 6 requires Ruby 2.4.1 or newer.
|
||||||
|
|
||||||
*Jeremy Daer*
|
*Jeremy Daer*
|
||||||
|
@ -15,6 +15,8 @@ module ActionDispatch
|
|||||||
#
|
#
|
||||||
# config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
|
# config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
|
||||||
#
|
#
|
||||||
|
# Cookies will not be flagged as secure for excluded requests.
|
||||||
|
#
|
||||||
# 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
|
# 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
|
||||||
# must not be sent along with +http://+ requests. Enabled by default. Set
|
# must not be sent along with +http://+ requests. Enabled by default. Set
|
||||||
# +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
|
# +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
|
||||||
@ -71,7 +73,7 @@ def call(env)
|
|||||||
if request.ssl?
|
if request.ssl?
|
||||||
@app.call(env).tap do |status, headers, body|
|
@app.call(env).tap do |status, headers, body|
|
||||||
set_hsts_header! headers
|
set_hsts_header! headers
|
||||||
flag_cookies_as_secure! headers if @secure_cookies
|
flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
return redirect_to_https request unless @exclude.call(request)
|
return redirect_to_https request unless @exclude.call(request)
|
||||||
|
@ -208,6 +208,14 @@ def test_cookies_as_not_secure_with_secure_cookies_disabled
|
|||||||
assert_cookies(*DEFAULT.split("\n"))
|
assert_cookies(*DEFAULT.split("\n"))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_cookies_as_not_secure_with_exclude
|
||||||
|
excluding = { exclude: -> request { request.domain =~ /example/ } }
|
||||||
|
get headers: { "Set-Cookie" => DEFAULT }, ssl_options: { redirect: excluding }
|
||||||
|
|
||||||
|
assert_cookies(*DEFAULT.split("\n"))
|
||||||
|
assert_response :ok
|
||||||
|
end
|
||||||
|
|
||||||
def test_no_cookies
|
def test_no_cookies
|
||||||
get
|
get
|
||||||
assert_nil response.headers["Set-Cookie"]
|
assert_nil response.headers["Set-Cookie"]
|
||||||
|
Loading…
Reference in New Issue
Block a user