From d0fd5aefb9108c8ebcb4868f0909f60bdfbc146f Mon Sep 17 00:00:00 2001
From: Catherine Khuu <catherine.khuu@plated.com>
Date: Thu, 15 Mar 2018 17:29:21 -0400
Subject: [PATCH] Check exclude before flagging cookies as secure in
 ActionDispatch::SSL (#32262)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Check exclude before flagging cookies as secure.

* Update comments in ActionDispatch::SSL.

[Catherine Khuu + Rafael Mendonça França]
---
 actionpack/CHANGELOG.md                          | 5 +++++
 actionpack/lib/action_dispatch/middleware/ssl.rb | 4 +++-
 actionpack/test/dispatch/ssl_test.rb             | 8 ++++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 57ad593bee35a..5fa595fddd0bc 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Check exclude before flagging cookies as secure.
+
+    *Catherine Khuu*
+
+
 ## Rails 5.1.5 (February 14, 2018) ##
 
 *   Fix optimized url helpers when using relative url root
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
index 557721c301bf9..ffb2ae7dbdfcf 100644
--- a/actionpack/lib/action_dispatch/middleware/ssl.rb
+++ b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -9,6 +9,8 @@ module ActionDispatch
   #      (e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`), or set
   #      `redirect: false` to disable this feature.
   #
+  #    Cookies will not be flagged as secure for excluded requests.
+  #
   #   2. Secure cookies: Sets the `secure` flag on cookies to tell browsers they
   #      mustn't be sent along with http:// requests. Enabled by default. Set
   #      `config.ssl_options` with `secure_cookies: false` to disable this feature.
@@ -65,7 +67,7 @@ def call(env)
       if request.ssl?
         @app.call(env).tap do |status, headers, body|
           set_hsts_header! headers
-          flag_cookies_as_secure! headers if @secure_cookies
+          flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
         end
       else
         return redirect_to_https request unless @exclude.call(request)
diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index 757e26973f425..82d64e3812301 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -206,6 +206,14 @@ def test_cookies_as_not_secure_with_secure_cookies_disabled
     assert_cookies(*DEFAULT.split("\n"))
   end
 
+  def test_cookies_as_not_secure_with_exclude
+    excluding = { exclude: -> request { request.domain =~ /example/ } }
+    get headers: { "Set-Cookie" => DEFAULT }, ssl_options: { redirect: excluding }
+
+    assert_cookies(*DEFAULT.split("\n"))
+    assert_response :ok
+  end
+
   def test_no_cookies
     get
     assert_nil response.headers["Set-Cookie"]