Bug 607138: Don't send the Strict-Transport-Security header for the

author Max Kanat-Alexander <mkanat@bugzilla.org>

Mon, 6 Dec 2010 15:52:31 +0000 (07:52 -0800)

committer Max Kanat-Alexander <mkanat@bugzilla.org>

Mon, 6 Dec 2010 15:52:31 +0000 (07:52 -0800)
author Max Kanat-Alexander <mkanat@bugzilla.org>
Mon, 6 Dec 2010 15:52:31 +0000 (07:52 -0800)
committer Max Kanat-Alexander <mkanat@bugzilla.org>
Mon, 6 Dec 2010 15:52:31 +0000 (07:52 -0800)
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index 8ec3ac28e8a72eec242c48fcf1db3adf2076d90e..b32f76ae01b37d645b3c106692d187ae3afa882c 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -275,9 +275,13 @@ sub header {
  
      # Add Strict-Transport-Security (STS) header if this response
      # is over SSL and the strict_transport_security param is turned on.
-    if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+    if ($self->https && !$self->url_is_attachment_base
+        && Bugzilla->params->{'strict_transport_security'} ne 'off') 
+    {
          my $sts_opts = 'max-age=' . MAX_STS_AGE;
-        if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+        if (Bugzilla->params->{'strict_transport_security'} 
+            eq 'include_subdomains')
+        {
              $sts_opts .= '; includeSubDomains';
          }
          unshift(@_, '-strict_transport_security' => $sts_opts);
author	Max Kanat-Alexander <mkanat@bugzilla.org>
	Mon, 6 Dec 2010 15:52:31 +0000 (07:52 -0800)
committer	Max Kanat-Alexander <mkanat@bugzilla.org>
	Mon, 6 Dec 2010 15:52:31 +0000 (07:52 -0800)