diff options
author | clsr <clsr@clsr.net> | 2016-06-16 21:11:55 +0200 |
---|---|---|
committer | clsr <clsr@clsr.net> | 2016-06-16 21:11:55 +0200 |
commit | d5bfbdefb1bb56d7062975cd04954aa1ad346018 (patch) | |
tree | 2892f9d7e763457db7bc15a948dc5db169f6223d | |
parent | 062d8e6a2d0da35d29b742a6970a9268b517f20c (diff) | |
download | gomf-d5bfbdefb1bb56d7062975cd04954aa1ad346018.tar.gz gomf-d5bfbdefb1bb56d7062975cd04954aa1ad346018.zip |
Add --csp and --allow-html flagsv0.1.6
-rw-r--r-- | USAGE | 8 | ||||
-rw-r--r-- | api.go | 7 | ||||
-rw-r--r-- | main.go | 4 |
3 files changed, 16 insertions, 3 deletions
@@ -89,6 +89,14 @@ Running if missing, uses --upload-host, --https or --http to construct the URL example: --upload-url http://u.example.com/ + --csp CSP + sets the Content-Security-Header to CSP; blank to disable the header + example: --csp= + + --allow-html + serve text/html and application/xhtml+xml files with their original filetype instead of text/plain + example: --allow-html + --grill enables grills example: --grill @@ -28,13 +28,14 @@ func handleFile(w http.ResponseWriter, r *http.Request) { } defer f.Close() mtype := mime.TypeByExtension(path.Ext(f.Name())) - if strings.Index(mtype, "text/html") == 0 || strings.Index(mtype, "application/xhtml+xml") == 0 { + if !allowHtml && (strings.Index(mtype, "text/html") == 0 || strings.Index(mtype, "application/xhtml+xml") == 0) { mtype = "text/plain" } w.Header().Set("Content-Type", mtype) _ = size - //w.Header().Set("Content-Length", strconv.FormatInt(size, 10)) - w.Header().Set("Content-Security-Policy", "default-src 'none'; media-src 'self'") + if csp != "" { + w.Header().Set("Content-Security-Policy", csp) + } w.Header().Set("Last-Modified", modtime.UTC().Format(http.TimeFormat)) w.Header().Set("Expires", modtime.UTC().Add(time.Hour*24*30).Format(http.TimeFormat)) w.Header().Set("Cache-Control", "max-age=2592000") @@ -17,7 +17,9 @@ var ( siteName string contactMail string abuseMail string + csp string hsts bool + allowHtml bool ) func handle(w http.ResponseWriter, r *http.Request) { @@ -37,7 +39,9 @@ func main() { flag.StringVar(&siteName, "name", "Gomf", "website name") flag.StringVar(&contactMail, "contact", "contact@example.com", "contact email address") flag.StringVar(&abuseMail, "abuse", "abuse@example.com", "abuse email address") + flag.StringVar(&csp, "csp", "default-src 'none'; media-src 'self'", "the Content-Security-Policy header for files; blank to disable") flag.BoolVar(&hsts, "hsts", false, "enable HSTS") + flag.BoolVar(&allowHtml, "allow-html", false, "serve (X)HTML uploads with (X)HTML filetypes") listenHttp := flag.String("http", "localhost:8080", "address to listen on for HTTP") listenHttps := flag.String("https", "", "address to listen on for HTTPS") cert := flag.String("cert", "", "path to TLS certificate (for HTTPS)") |