8 rokov pred · 61bc012a62
--- a/config/config.go
+++ b/config/config.go
@@ -167,6 +167,11 @@ func (c *Config) OAuth2Provider() string {
 
				 	return c.get("OAUTH2_PROVIDER", "")
			
 
				 }
			
 
				 
			
 
				+// HasHSTS returns true if HTTP Strict Transport Security is enabled.
			
 
				+func (c *Config) HasHSTS() bool {
			
 
				+	return c.get("DISABLE_HSTS", "") == ""
			
 
				+}
			
 
				+
			
 
				 // NewConfig returns a new Config.
			
 
				 func NewConfig() *Config {
			
 
				 	return &Config{IsHTTPS: os.Getenv("HTTPS") != ""}
			
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -80,3 +80,22 @@ func TestDefaultBaseURL(t *testing.T) {
 
				 		t.Fatalf(`Unexpected base path, got "%s"`, cfg.BasePath())
			
 
				 	}
			
 
				 }
			
 
				+
			
 
				+func TestHSTSOn(t *testing.T) {
			
 
				+	os.Clearenv()
			
 
				+	cfg := NewConfig()
			
 
				+
			
 
				+	if !cfg.HasHSTS() {
			
 
				+		t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				+func TestHSTSOff(t *testing.T) {
			
 
				+	os.Clearenv()
			
 
				+	os.Setenv("DISABLE_HSTS", "1")
			
 
				+	cfg := NewConfig()
			
 
				+
			
 
				+	if cfg.HasHSTS() {
			
 
				+		t.Fatalf(`Unexpected HSTS value, got "%v"`, cfg.HasHSTS())
			
 
				+	}
			
 
				+}
			
--- a/http/handler/handler.go
+++ b/http/handler/handler.go
@@ -45,7 +45,7 @@ func (h *Handler) Use(f ControllerFunc) http.Handler {
 
				 
			
 
				 		ctx := NewContext(r, h.store, h.router, h.translator)
			
 
				 		request := NewRequest(r)
			
 
				-		response := NewResponse(w, r, h.template)
			
 
				+		response := NewResponse(h.cfg, w, r, h.template)
			
 
				 		language := ctx.UserLanguage()
			
 
				 
			
 
				 		if language != "" {
			
--- a/http/handler/response.go
+++ b/http/handler/response.go
@@ -8,11 +8,13 @@ import (
 
				 	"net/http"
			
 
				 	"time"
			
 
				 
			
 
				+	"github.com/miniflux/miniflux/config"
			
 
				 	"github.com/miniflux/miniflux/template"
			
 
				 )
			
 
				 
			
 
				 // Response handles HTTP responses.
			
 
				 type Response struct {
			
 
				+	cfg      *config.Config
			
 
				 	writer   http.ResponseWriter
			
 
				 	request  *http.Request
			
 
				 	template *template.Engine
			
@@ -74,9 +76,13 @@ func (r *Response) commonHeaders() {
 
				 	// Even if the directive "frame-src" has been deprecated in Firefox,
			
 
				 	// we keep it to stay compatible with other browsers.
			
 
				 	r.writer.Header().Set("Content-Security-Policy", "default-src 'self'; img-src *; media-src *; frame-src *; child-src *")
			
 
				+
			
 
				+	if r.cfg.IsHTTPS && r.cfg.HasHSTS() {
			
 
				+		r.writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
			
 
				+	}
			
 
				 }
			
 
				 
			
 
				 // NewResponse returns a new Response.
			
 
				-func NewResponse(w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
			
 
				-	return &Response{writer: w, request: r, template: template}
			
 
				+func NewResponse(cfg *config.Config, w http.ResponseWriter, r *http.Request, template *template.Engine) *Response {
			
 
				+	return &Response{cfg: cfg, writer: w, request: r, template: template}
			
 
				 }