Merge pull request #20559 from mtsmfm/fix-header-modification-by-ssl

ActionDispatch::SSL should keep original header's behavior

actionpack/lib/action_dispatch/middleware/ssl.rb

@@ -22,7 +22,7 @@ def call(env)
 
       if request.ssl?
         status, headers, body = @app.call(env)
-        headers = hsts_headers.merge(headers)
+        headers.reverse_merge!(hsts_headers)
         flag_cookies_as_secure!(headers)
         [status, headers, body]
       else

actionpack/test/dispatch/ssl_test.rb

@@ -216,4 +216,15 @@ def test_redirect_to_secure_subdomain_when_on_deep_subdomain
     assert_equal "https://example.co.uk/path?key=value",
       response.headers['Location']
   end
+
+  def test_keeps_original_headers_behavior
+    headers = Rack::Utils::HeaderHash.new(
+      "Content-Type" => "text/html",
+      "Connection" => ["close"]
+    )
+    self.app = ActionDispatch::SSL.new(lambda { |env| [200, headers, ["OK"]] })
+
+    get "https://example.org/"
+    assert_equal "close", response.headers["Connection"]
+  end
 end