vor 10 Jahren · 2d9c27549d
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 
				 * Security
			
 
				 	* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/issues/1075), [#1114](https://github.com/FreshRSS/FreshRSS/issues/1114)
			
 
				 	* Added `X-Content-Type-Options: nosniff` [#1116](https://github.com/FreshRSS/FreshRSS/pull/1116)
			
 
				+	* Cookie with `Secure` tag when used over HTTPS [#1117](https://github.com/FreshRSS/FreshRSS/pull/1117)
			
 
				 * Features
			
 
				 	* New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083)
			
 
				 		* In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS
			
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -84,6 +84,17 @@ class Minz_Request {
 
				 		self::magicQuotesOff();
			
 
				 	}
			
 
				 
			
 
				+	/**
			
 
				+	 * Return true if the request is over HTTPS, false otherwise (HTTP)
			
 
				+	 */
			
 
				+	public static function isHttps() {
			
 
				+		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
			
 
				+			return strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
			
 
				+		} else {
			
 
				+			return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	/**
			
 
				 	 * Try to guess the base URL from $_SERVER information
			
 
				 	 *
			
@@ -92,11 +103,7 @@ class Minz_Request {
 
				 	public static function guessBaseUrl() {
			
 
				 		$url = 'http';
			
 
				 
			
 
				-		if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
			
 
				-			$https = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
			
 
				-		} else {
			
 
				-			$https = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
			
 
				-		}
			
 
				+		$https = self::isHttps();
			
 
				 
			
 
				 		if (!empty($_SERVER['HTTP_HOST'])) {
			
 
				 			$host = $_SERVER['HTTP_HOST'];
			
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -73,7 +73,7 @@ class Minz_Session {
 
				 	 * @param $l la durée de vie
			
 
				 	 */
			
 
				 	public static function keepCookie($l) {
			
 
				-		session_set_cookie_params($l, self::getCookieDir(), '', false, true);
			
 
				+		session_set_cookie_params($l, self::getCookieDir(), '', Minz_Request::isHttps(), true);
			
 
				 	}
			
 
				 
			
 
				 
			
@@ -86,11 +86,11 @@ class Minz_Session {
 
				 	}
			
 
				 
			
 
				 	public static function deleteLongTermCookie($name) {
			
 
				-		setcookie($name, '', 1, '', '', false, true);
			
 
				+		setcookie($name, '', 1, '', '', Minz_Request::isHttps(), true);
			
 
				 	}
			
 
				 
			
 
				 	public static function setLongTermCookie($name, $value, $expire) {
			
 
				-		setcookie($name, $value, $expire, '', '', false, true);
			
 
				+		setcookie($name, $value, $expire, '', '', Minz_Request::isHttps(), true);
			
 
				 	}
			
 
				 
			
 
				 	public static function getLongTermCookie($name) {