summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2010-09-29 20:51:47 +0200
committerReed Loden <reed@reedloden.com>2010-09-29 20:51:47 +0200
commit0aeaae0427e053b67bd65bf0131de9d562744514 (patch)
treeebafee96914c73cf83139e011a5387c3396f18c6
parentf63ac679439c2460d3087eedc319a353bf4ea082 (diff)
downloadbugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.gz
bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.xz
Bug 600475 - Support the 'includeSubDomains' flag as an option for the 'Strict-Transport-Security' advanced option in order to protect subdomains.
[r=glob a=mkanat]
-rw-r--r--Bugzilla/CGI.pm8
-rw-r--r--Bugzilla/Config/Advanced.pm6
-rw-r--r--template/en/default/admin/params/advanced.html.tmpl16
3 files changed, 26 insertions, 4 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index de92cda99..054ba96a0 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -276,8 +276,12 @@ sub header {
# Add Strict-Transport-Security (STS) header if this response
# is over SSL and the strict_transport_security param is turned on.
- if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
- unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+ if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+ my $sts_opts = 'max-age=' . MAX_STS_AGE;
+ if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+ $sts_opts .= '; includeSubDomains';
+ }
+ unshift(@_, '-strict_transport_security' => $sts_opts);
}
return $self->SUPER::header(@_) || "";
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm
index e15a42963..fada813f1 100644
--- a/Bugzilla/Config/Advanced.pm
+++ b/Bugzilla/Config/Advanced.pm
@@ -55,8 +55,10 @@ use constant get_param_list => (
{
name => 'strict_transport_security',
- type => 'b',
- default => 0,
+ type => 's',
+ choices => ['off', 'this_domain_only', 'include_subdomains'],
+ default => 'off',
+ checker => \&check_multi
},
);
diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl
index 10a1fb678..a8e8a297b 100644
--- a/template/en/default/admin/params/advanced.html.tmpl
+++ b/template/en/default/admin/params/advanced.html.tmpl
@@ -35,6 +35,22 @@
on its domain (i.e., your <code>urlbase</code> is something like
<code>http://bugzilla.example.com/</code>), and you never plan to disable
the <code>ssl_redirect</code> parameter.
+ <ul>
+ <li>
+ off - Don't send the Strict-Transport-Security header with requests.
+ </li>
+ <li>
+ this_domain_only - Send the Strict-Transport-Security header with all
+ requests, but only support it for the current domain.
+ </li>
+ <li>
+ include_subdomains - Send the Strict-Transport-Security header along
+ with the <code>includeSubDomains</code> flag, which will apply the
+ security change to all subdomains. This is especially useful when
+ combined with an <code>attachment_base</code> that exists as (a)
+ subdomain(s) under the main [% terms.Bugzilla %] domain.
+ </li>
+ </ul>
[% END %]
[% param_descs = {