Bug 600475 - Support the 'includeSubDomains' flag as an option for the 'Strict-Transport-Security' advanced option in order to protect subdomains.

[r=glob a=mkanat]

3 files changed, 26 insertions, 4 deletions

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index de92cda99..054ba96a0 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -276,8 +276,12 @@ sub header {
 
     # Add Strict-Transport-Security (STS) header if this response
     # is over SSL and the strict_transport_security param is turned on.
-    if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
-        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+    if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+        my $sts_opts = 'max-age=' . MAX_STS_AGE;
+        if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+            $sts_opts .= '; includeSubDomains';
+        }
+        unshift(@_, '-strict_transport_security' => $sts_opts);
     }
 
     return $self->SUPER::header(@_) || "";
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index e15a42963..fada813f1 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -55,8 +55,10 @@ use constant get_param_list => (
 
   {
    name => 'strict_transport_security',
-   type => 'b',
-   default => 0,
+   type => 's',
+   choices => ['off', 'this_domain_only', 'include_subdomains'],
+   default => 'off',
+   checker => \&check_multi
   },
 );
 
diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl
index 10a1fb678..a8e8a297b 100644
--- a/template/en/default/admin/params/advanced.html.tmpl
+++ b/template/en/default/admin/params/advanced.html.tmpl
@@ -35,6 +35,22 @@
   on its domain (i.e., your <code>urlbase</code> is something like
   <code>http://bugzilla.example.com/</code>), and you never plan to disable
   the <code>ssl_redirect</code> parameter.
+  <ul>
+    <li>
+      off - Don't send the Strict-Transport-Security header with requests.
+    </li>
+    <li>
+      this_domain_only - Send the Strict-Transport-Security header with all
+      requests, but only support it for the current domain.
+    </li>
+    <li>
+      include_subdomains - Send the Strict-Transport-Security header along
+      with the <code>includeSubDomains</code> flag, which will apply the
+      security change to all subdomains. This is especially useful when
+      combined with an <code>attachment_base</code> that exists as (a)
+      subdomain(s) under the main [% terms.Bugzilla %] domain.
+    </li>
+  </ul>
 [% END %]
 
 [% param_descs = {