diff options
| author | Reed Loden <reed@reedloden.com> | 2010-09-29 20:51:47 +0200 |
|---|---|---|
| committer | Reed Loden <reed@reedloden.com> | 2010-09-29 20:51:47 +0200 |
| commit | 0aeaae0427e053b67bd65bf0131de9d562744514 (patch) | |
| tree | ebafee96914c73cf83139e011a5387c3396f18c6 /Bugzilla | |
| parent | f63ac679439c2460d3087eedc319a353bf4ea082 (diff) | |
| download | bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.gz bugzilla-0aeaae0427e053b67bd65bf0131de9d562744514.tar.xz | |
Bug 600475 - Support the 'includeSubDomains' flag as an option for the 'Strict-Transport-Security' advanced option in order to protect subdomains.
[r=glob a=mkanat]
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/CGI.pm | 8 | ||||
| -rw-r--r-- | Bugzilla/Config/Advanced.pm | 6 |
2 files changed, 10 insertions, 4 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index de92cda99..054ba96a0 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -276,8 +276,12 @@ sub header { # Add Strict-Transport-Security (STS) header if this response # is over SSL and the strict_transport_security param is turned on. - if ($self->https && Bugzilla->params->{'strict_transport_security'}) { - unshift(@_, '-strict-transport-security' => 'max-age=' . MAX_STS_AGE); + if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') { + my $sts_opts = 'max-age=' . MAX_STS_AGE; + if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') { + $sts_opts .= '; includeSubDomains'; + } + unshift(@_, '-strict_transport_security' => $sts_opts); } return $self->SUPER::header(@_) || ""; diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm index e15a42963..fada813f1 100644 --- a/Bugzilla/Config/Advanced.pm +++ b/Bugzilla/Config/Advanced.pm @@ -55,8 +55,10 @@ use constant get_param_list => ( { name => 'strict_transport_security', - type => 'b', - default => 0, + type => 's', + choices => ['off', 'this_domain_only', 'include_subdomains'], + default => 'off', + checker => \&check_multi }, ); |