mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-04-03 22:25:04 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'cookie_secure' into dev

Browse Source
This commit is contained in:
Alexandre Alapetite
2016-03-08 19:02:02 +01:00
parent 5a7455dc62 cd4153912f
commit c024cfa25e
3 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -5,6 +5,7 @@
* Security
* Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/issues/1075), [#1114](https://github.com/FreshRSS/FreshRSS/issues/1114)
* Added `X-Content-Type-Options: nosniff` [#1116](https://github.com/FreshRSS/FreshRSS/pull/1116)
* Cookie with `Secure` tag when used over HTTPS [#1117](https://github.com/FreshRSS/FreshRSS/pull/1117)
* Features
* New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083)
* In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS

17
lib/Minz/Request.php
View File

@@ -84,6 +84,17 @@ class Minz_Request {
self::magicQuotesOff();
}
/**
* Return true if the request is over HTTPS, false otherwise (HTTP)
*/
public static function isHttps() {
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
return strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
} else {
return isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
}
}
/**
* Try to guess the base URL from $_SERVER information
*
@@ -92,11 +103,7 @@ class Minz_Request {
public static function guessBaseUrl() {
$url = 'http';
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
$https = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) === 'https';
} else {
$https = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on';
}
$https = self::isHttps();
if (!empty($_SERVER['HTTP_HOST'])) {
$host = $_SERVER['HTTP_HOST'];

6
lib/Minz/Session.php
View File

@@ -73,7 +73,7 @@ class Minz_Session {
* @param $l la durée de vie
*/
public static function keepCookie($l) {
session_set_cookie_params($l, self::getCookieDir(), '', false, true);
session_set_cookie_params($l, self::getCookieDir(), '', Minz_Request::isHttps(), true);
}
@@ -86,11 +86,11 @@ class Minz_Session {
}
public static function deleteLongTermCookie($name) {
setcookie($name, '', 1, '', '', false, true);
setcookie($name, '', 1, '', '', Minz_Request::isHttps(), true);
}
public static function setLongTermCookie($name, $value, $expire) {
setcookie($name, $value, $expire, '', '', false, true);
setcookie($name, $value, $expire, '', '', Minz_Request::isHttps(), true);
}
public static function getLongTermCookie($name) {