Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 600475 - Support the 'includeSubDomains' flag as an option for the 'Strict-Transport-Security' advanced option in order to protect subdomains.

Browse Source 
[r=glob a=mkanat]


git-svn-id: svn://10.0.0.236/trunk@261301 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
mkanat%bugzilla.org 2010-09-29 19:03:27 +00:00
parent 50f853494f
commit ee495843f0
4 changed files with 27 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mozilla/webtools/bugzilla/.bzrrev
View File

@ -1 +1 @@
7494
7495

8
mozilla/webtools/bugzilla/Bugzilla/CGI.pm
View File

@ -276,8 +276,12 @@ sub header {
# Add Strict-Transport-Security (STS) header if this response
# is over SSL and the strict_transport_security param is turned on.
if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
my $sts_opts = 'max-age=' . MAX_STS_AGE;
if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
$sts_opts .= '; includeSubDomains';
}
unshift(@_, '-strict_transport_security' => $sts_opts);
}
return $self->SUPER::header(@_) || "";

6
mozilla/webtools/bugzilla/Bugzilla/Config/Advanced.pm
View File

@ -55,8 +55,10 @@ use constant get_param_list => (
{
name => 'strict_transport_security',
type => 'b',
default => 0,
type => 's',
choices => ['off', 'this_domain_only', 'include_subdomains'],
default => 'off',
checker => \&check_multi
},
);

16
mozilla/webtools/bugzilla/template/en/default/admin/params/advanced.html.tmpl
View File

@ -35,6 +35,22 @@
on its domain (i.e., your <code>urlbase</code> is something like
<code>http://bugzilla.example.com/</code>), and you never plan to disable
the <code>ssl_redirect</code> parameter.
<ul>
<li>
off - Don't send the Strict-Transport-Security header with requests.
</li>
<li>
this_domain_only - Send the Strict-Transport-Security header with all
requests, but only support it for the current domain.
</li>
<li>
include_subdomains - Send the Strict-Transport-Security header along
with the <code>includeSubDomains</code> flag, which will apply the
security change to all subdomains. This is especially useful when
combined with an <code>attachment_base</code> that exists as (a)
subdomain(s) under the main [% terms.Bugzilla %] domain.
</li>
</ul>
[% END %]
[% param_descs = {