From 067e958da7d04d51f3d9f061f51cf65e22e452d1 Mon Sep 17 00:00:00 2001
From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Mon, 6 Dec 2010 07:52:31 -0800
Subject: Bug 607138: Don't send the Strict-Transport-Security header for the
 attachment_base. r=LpSolit, a=LpSolit

---
 Bugzilla/CGI.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 8ec3ac28e..b32f76ae0 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -275,9 +275,13 @@ sub header {
 
     # Add Strict-Transport-Security (STS) header if this response
     # is over SSL and the strict_transport_security param is turned on.
-    if ($self->https && Bugzilla->params->{'strict_transport_security'} ne 'off') {
+    if ($self->https && !$self->url_is_attachment_base
+        && Bugzilla->params->{'strict_transport_security'} ne 'off') 
+    {
         my $sts_opts = 'max-age=' . MAX_STS_AGE;
-        if (Bugzilla->params->{'strict_transport_security'} eq 'include_subdomains') {
+        if (Bugzilla->params->{'strict_transport_security'} 
+            eq 'include_subdomains')
+        {
             $sts_opts .= '; includeSubDomains';
         }
         unshift(@_, '-strict_transport_security' => $sts_opts);
-- 
cgit v1.2.3-24-g4f1b