Don't track the Accept-Language header by default.

Some modern browsers (e.g., Safari 12, Chrome 71) don't set the
Accept-Language header for websocket requests. A mixture of
requests with and without this header results in unavailable
sessions in websocket handlers due to the built-in Firesheep
protection.

The existing default is inappropriate for any applications
employing Rack sessions for websocket connections.

rack-protection/lib/rack/protection/session_hijacking.rb

@@ -14,7 +14,7 @@ module Protection
     class SessionHijacking < Base
       default_reaction :drop_session
       default_options :tracking_key => :tracking, :encrypt_tracking => true,
-        :track => %w[HTTP_USER_AGENT HTTP_ACCEPT_LANGUAGE]
+        :track => %w[HTTP_USER_AGENT]
 
       def accepts?(env)
         session = session env

rack-protection/spec/lib/rack/protection/session_hijacking_spec.rb

@@ -23,27 +23,6 @@
     expect(session).not_to be_empty
   end
 
-  it "denies requests with a changing Accept-Language header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
-    expect(session).to be_empty
-  end
-
-  it "accepts requests with the same Accept-Language header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    expect(session).not_to be_empty
-  end
-
-  it "comparison of Accept-Language header is not case sensitive" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
-    expect(session).not_to be_empty
-  end
-
   it "accepts requests with a changing Version header"do
     session = {:foo => :bar}
     get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'