From dc687c6730ad87189e86867a30e5349388a10777 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adri=C3=A1n=20Mart=C3=ADnez?=
 <adrian.martinez@interactiv4.com>
Date: Tue, 8 May 2018 18:41:58 +0200
Subject: [PATCH] Fix \Magento\Checkout\Controller\Index\Index::isSecureRequest
 method to take care of current request being secure and also from referer, as
 stated in phpdoc block

---
 .../Checkout/Controller/Index/Index.php       | 12 +++++-------
 .../Test/Unit/Controller/Index/IndexTest.php  | 19 ++++++++++---------
 2 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/app/code/Magento/Checkout/Controller/Index/Index.php b/app/code/Magento/Checkout/Controller/Index/Index.php
index 9fe760d3fa74c..0902782b72d83 100644
--- a/app/code/Magento/Checkout/Controller/Index/Index.php
+++ b/app/code/Magento/Checkout/Controller/Index/Index.php
@@ -51,18 +51,16 @@ public function execute()
      */
     private function isSecureRequest(): bool
     {
-        $secure = false;
         $request = $this->getRequest();
 
-        if ($request->isSecure()) {
-            $secure = true;
-        }
+        $referrer = $request->getHeader('referer');
+        $secure = false;
 
-        if ($request->getHeader('referer')) {
-            $scheme = parse_url($request->getHeader('referer'), PHP_URL_SCHEME);
+        if ($referrer) {
+            $scheme = parse_url($referrer, PHP_URL_SCHEME);
             $secure = $scheme === 'https';
         }
 
-        return $secure;
+        return $secure && $request->isSecure();
     }
 }
diff --git a/app/code/Magento/Checkout/Test/Unit/Controller/Index/IndexTest.php b/app/code/Magento/Checkout/Test/Unit/Controller/Index/IndexTest.php
index 8ce7a6ac13e98..04723c5894f8f 100644
--- a/app/code/Magento/Checkout/Test/Unit/Controller/Index/IndexTest.php
+++ b/app/code/Magento/Checkout/Test/Unit/Controller/Index/IndexTest.php
@@ -236,26 +236,27 @@ public function testRegenerateSessionIdOnExecute(bool $secure, string $referer,
     public function sessionRegenerationDataProvider(): array
     {
         return [
+            [
+                'secure' => false,
+                'referer' => 'https://test.domain.com/',
+                'expectedCall' => self::once()
+            ],
             [
                 'secure' => true,
                 'referer' => false,
-                'expectedCall' => self::never()
+                'expectedCall' => self::once()
             ],
             [
                 'secure' => true,
-                'referer' => 'https://test.domain.com/',
-                'expectedCall' => self::never()
+                'referer' => 'http://test.domain.com/',
+                'expectedCall' => self::once()
             ],
+            // This is the only case in which session regeneration can be skipped
             [
-                'secure' => false,
+                'secure' => true,
                 'referer' => 'https://test.domain.com/',
                 'expectedCall' => self::never()
             ],
-            [
-                'secure' => true,
-                'referer' => 'http://test.domain.com/',
-                'expectedCall' => self::once()
-            ]
         ];
     }