Check exclude before flagging cookies as secure in ActionDispatch::SSL (

#32262)

* Check exclude before flagging cookies as secure.

* Update comments in ActionDispatch::SSL.

[Catherine Khuu + Rafael Mendonça França]

actionpack/CHANGELOG.md

@@ -1,3 +1,8 @@
+*   Check exclude before flagging cookies as secure.
+
+    *Catherine Khuu*
+
+
 ## Rails 5.1.5 (February 14, 2018) ##
 
 *   Fix optimized url helpers when using relative url root

actionpack/lib/action_dispatch/middleware/ssl.rb

@@ -9,6 +9,8 @@ module ActionDispatch
   #      (e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`), or set
   #      `redirect: false` to disable this feature.
   #
+  #    Cookies will not be flagged as secure for excluded requests.
+  #
   #   2. Secure cookies: Sets the `secure` flag on cookies to tell browsers they
   #      mustn't be sent along with http:// requests. Enabled by default. Set
   #      `config.ssl_options` with `secure_cookies: false` to disable this feature.
@@ -65,7 +67,7 @@ def call(env)
       if request.ssl?
         @app.call(env).tap do |status, headers, body|
           set_hsts_header! headers
-          flag_cookies_as_secure! headers if @secure_cookies
+          flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
         end
       else
         return redirect_to_https request unless @exclude.call(request)

actionpack/test/dispatch/ssl_test.rb

@@ -206,6 +206,14 @@ def test_cookies_as_not_secure_with_secure_cookies_disabled
     assert_cookies(*DEFAULT.split("\n"))
   end
 
+  def test_cookies_as_not_secure_with_exclude
+    excluding = { exclude: -> request { request.domain =~ /example/ } }
+    get headers: { "Set-Cookie" => DEFAULT }, ssl_options: { redirect: excluding }
+
+    assert_cookies(*DEFAULT.split("\n"))
+    assert_response :ok
+  end
+
   def test_no_cookies
     get
     assert_nil response.headers["Set-Cookie"]