Bug 607138: Don't send the Strict-Transport-Security header for the

author Max Kanat-Alexander <mkanat@bugzilla.org>

Mon, 6 Dec 2010 15:53:29 +0000 (07:53 -0800)

committer Max Kanat-Alexander <mkanat@bugzilla.org>

Mon, 6 Dec 2010 15:53:29 +0000 (07:53 -0800)
author Max Kanat-Alexander <mkanat@bugzilla.org>
Mon, 6 Dec 2010 15:53:29 +0000 (07:53 -0800)
committer Max Kanat-Alexander <mkanat@bugzilla.org>
Mon, 6 Dec 2010 15:53:29 +0000 (07:53 -0800)
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index 1dfca0a60401532f128ad08db9539d90a8bbb15d..c5cb0fa62e620151ec932597756c09e57d1563ed 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -287,9 +287,13 @@ sub header {
  
      # Add Strict-Transport-Security (STS) header if this response
      # is over SSL and the strict_transport_security param is turned on.
-    if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+    if ($self->https && !$self->url_is_attachment_base
+        && Bugzilla->params->{'strict_transport_security'} ne 'off') 
+    {
          my $sts_opts = 'max-age=' . MAX_STS_AGE;
-        if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+        if (Bugzilla->params->{'strict_transport_security'} 
+            eq 'include_subdomains')
+        {
              $sts_opts .= '; includeSubDomains';
          }
          unshift(@_, '-strict_transport_security' => $sts_opts);
author	Max Kanat-Alexander <mkanat@bugzilla.org>
	Mon, 6 Dec 2010 15:53:29 +0000 (07:53 -0800)
committer	Max Kanat-Alexander <mkanat@bugzilla.org>
	Mon, 6 Dec 2010 15:53:29 +0000 (07:53 -0800)