Bug 594990: Make the Strict-Transport-Security HTTP header only be sent

if a particular parameter is enabled. r=glob, a=mkanat git-svn-id: svn://10.0.0.236/branches/BUGZILLA-4_0-BRANCH@261293 18797224-902f-48f8-a5cc-f745e15eee43
2010-09-28 03:39:43 +00:00 · 2010-09-28 03:39:43 +00:00 · 4657e20014
commit 4657e20014
parent b4a386a668
4 changed files with 24 additions and 3 deletions
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@ -1 +1 @@
-7417
+7418
--- a/mozilla/webtools/bugzilla/Bugzilla/CGI.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/CGI.pm
@ -287,8 +287,8 @@ sub header {
    }

    # Add Strict-Transport-Security (STS) header if this response
-    # is over SSL and ssl_redirect is enabled.
-    if ($self->https && Bugzilla->params->{'ssl_redirect'}) {
+    # is over SSL and the strict_transport_security param is turned on.
+    if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
    }

--- a/mozilla/webtools/bugzilla/Bugzilla/Config/Advanced.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Config/Advanced.pm
@ -52,6 +52,12 @@ use constant get_param_list => (
   type => 't',
   default => ''
  },
+
+  {
+   name => 'strict_transport_security',
+   type => 'b',
+   default => 0,
+  },
 );

 1;
--- a/mozilla/webtools/bugzilla/template/en/default/admin/params/advanced.html.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/admin/params/advanced.html.tmpl
@ -24,6 +24,19 @@
   desc = "Settings for advanced configurations."
 %]

+[% sts_desc = BLOCK %]
+  Enables the sending of the 
+  <a href="http://en.wikipedia.org/wiki/Strict_Transport_Security">Strict-Transport-Security</a>
+  header along with HTTP responses on SSL connections. This adds greater
+  security to your SSL connections by forcing the browser to always
+  access your domain over SSL and never accept an invalid certificate. 
+  However, it should only be used if you have the <code>ssl_redirect</code>
+  parameter turned on, Bugzilla is the only thing running
+  on its domain (i.e., your <code>urlbase</code> is something like
+  <code>http://bugzilla.example.com/</code>), and you never plan to disable
+  the <code>ssl_redirect</code> parameter.
+[% END %]
+
 [% param_descs = {
  cookiedomain => 
    "If your website is at 'www.foo.com', setting this to"
@ -47,4 +60,6 @@
    _ " necessary to enter its URL if the web server cannot access the"
    _ " HTTP_PROXY environment variable. If you have to authenticate,"
    _ " use the <code>http://user:pass@proxy_url/</code> syntax.",
+
+  strict_transport_security => sts_desc,
 } %]