rails · saizai · Jul 16, 2012 · Jul 16, 2012 · Jul 16, 2012 · pixeltrix
diff --git a/actionpack/lib/action_dispatch/middleware/ssl.rb b/actionpack/lib/action_dispatch/middleware/ssl.rb
@@ -19,12 +19,17 @@ def initialize(app, options = {})
 
     def call(env)
       request = Request.new(env)
-
+      
       if request.ssl?
         status, headers, body = @app.call(env)
         headers = hsts_headers.merge(headers)
         flag_cookies_as_secure!(headers)
         [status, headers, body]
+      elsif URI(request.url).host =~ /\.onion$/
+        # Do not enforce SSL on Tor hidden services (e.g. if this server hosts content both over SSL and Tor).
+        # CAs cannot verify .onion ownership for SSL (so it provides no auth),and SSL introduces leaks that actually degrade Tor security/privacy.
+        # Cf. https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ?version=1390#WhyisitbettertoprovideahiddenserviceWebsitewithHTTPratherthanHTTPSaccess
+        @app.call(env)
       else
         redirect_to_https(request)
       end