Bug 600475 - Support the 'includeSubDomains' flag as an option for the 'Strict-Transport-Security' advanced option in order to protect subdomains.

[r=glob a=mkanat]
author: Reed Loden <reed@reedloden.com> 2010-09-29 20:51:47 +0200
committer: Reed Loden <reed@reedloden.com> 2010-09-29 20:51:47 +0200
commit: 0aeaae0427e053b67bd65bf0131de9d562744514 (patch)
tree: ebafee96914c73cf83139e011a5387c3396f18c6 /Bugzilla/CGI.pm
parent: f63ac679439c2460d3087eedc319a353bf4ea082 (diff)
download: bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.gz
bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.xz
1 files changed, 6 insertions, 2 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index de92cda99..054ba96a0 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -276,8 +276,12 @@ sub header {
 
     # Add Strict-Transport-Security (STS) header if this response
     # is over SSL and the strict_transport_security param is turned on.
-    if ($self->https && Bugzilla->params->{'strict_transport_security'}) {
-        unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE);
+    if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+        my $sts_opts = 'max-age=' . MAX_STS_AGE;
+        if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+            $sts_opts .= '; includeSubDomains';
+        }
+        unshift(@_, '-strict_transport_security' => $sts_opts);
     }
 
     return $self->SUPER::header(@_) || "";
author	Reed Loden <reed@reedloden.com>	2010-09-29 20:51:47 +0200
committer	Reed Loden <reed@reedloden.com>	2010-09-29 20:51:47 +0200
commit	0aeaae0427e053b67bd65bf0131de9d562744514 (patch)
tree	ebafee96914c73cf83139e011a5387c3396f18c6 /Bugzilla/CGI.pm
parent	f63ac679439c2460d3087eedc319a353bf4ea082 (diff)
download	bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.gz bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.xz