From d5bfbdefb1bb56d7062975cd04954aa1ad346018 Mon Sep 17 00:00:00 2001
From: clsr <clsr@clsr.net>
Date: Thu, 16 Jun 2016 21:11:55 +0200
Subject: Add --csp and --allow-html flags

---
 USAGE   | 8 ++++++++
 api.go  | 7 ++++---
 main.go | 4 ++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/USAGE b/USAGE
index fb742fc..6de9cbb 100644
--- a/USAGE
+++ b/USAGE
@@ -89,6 +89,14 @@ Running
 			if missing, uses --upload-host, --https or --http to construct the URL
 			example: --upload-url http://u.example.com/
 
+		--csp CSP
+			sets the Content-Security-Header to CSP; blank to disable the header
+			example: --csp=
+
+		--allow-html
+			serve text/html and application/xhtml+xml files with their original filetype instead of text/plain
+			example: --allow-html
+
 		--grill
 			enables grills
 			example: --grill
diff --git a/api.go b/api.go
index 1fe7f0a..b3b7063 100644
--- a/api.go
+++ b/api.go
@@ -28,13 +28,14 @@ func handleFile(w http.ResponseWriter, r *http.Request) {
 	}
 	defer f.Close()
 	mtype := mime.TypeByExtension(path.Ext(f.Name()))
-	if strings.Index(mtype, "text/html") == 0 || strings.Index(mtype, "application/xhtml+xml") == 0 {
+	if !allowHtml && (strings.Index(mtype, "text/html") == 0 || strings.Index(mtype, "application/xhtml+xml") == 0) {
 		mtype = "text/plain"
 	}
 	w.Header().Set("Content-Type", mtype)
 	_ = size
-	//w.Header().Set("Content-Length", strconv.FormatInt(size, 10))
-	w.Header().Set("Content-Security-Policy", "default-src 'none'; media-src 'self'")
+	if csp != "" {
+		w.Header().Set("Content-Security-Policy", csp)
+	}
 	w.Header().Set("Last-Modified", modtime.UTC().Format(http.TimeFormat))
 	w.Header().Set("Expires", modtime.UTC().Add(time.Hour*24*30).Format(http.TimeFormat))
 	w.Header().Set("Cache-Control", "max-age=2592000")
diff --git a/main.go b/main.go
index 1b72477..40ba912 100644
--- a/main.go
+++ b/main.go
@@ -17,7 +17,9 @@ var (
 	siteName    string
 	contactMail string
 	abuseMail   string
+	csp         string
 	hsts        bool
+	allowHtml   bool
 )
 
 func handle(w http.ResponseWriter, r *http.Request) {
@@ -37,7 +39,9 @@ func main() {
 	flag.StringVar(&siteName, "name", "Gomf", "website name")
 	flag.StringVar(&contactMail, "contact", "contact@example.com", "contact email address")
 	flag.StringVar(&abuseMail, "abuse", "abuse@example.com", "abuse email address")
+	flag.StringVar(&csp, "csp", "default-src 'none'; media-src 'self'", "the Content-Security-Policy header for files; blank to disable")
 	flag.BoolVar(&hsts, "hsts", false, "enable HSTS")
+	flag.BoolVar(&allowHtml, "allow-html", false, "serve (X)HTML uploads with (X)HTML filetypes")
 	listenHttp := flag.String("http", "localhost:8080", "address to listen on for HTTP")
 	listenHttps := flag.String("https", "", "address to listen on for HTTPS")
 	cert := flag.String("cert", "", "path to TLS certificate (for HTTPS)")
-- 
cgit