squidy/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2025-12-17 06:01:33 -06:00
Code Issues Packages Projects Releases Wiki Activity

Revise cookie 'secure flag' enable condition

Browse Source 
The localhost is 'potentially trustworthy' and RFC 6265 allows setting secure flag in this case.
Also check `X-Forwarded-Proto` header value to support reverse proxy usage.

Note: for reverse proxy users, now the `X-Forwarded-Proto` header is expected to be sent to qbt
otherwise the `secure` flag might be set erroneously.

https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.5
https://w3c.github.io/webappsec-secure-contexts/#is-origin-trustworthy

Closes #21250.
PR #21260.
This commit is contained in:
Chocobo1
2024-09-07 21:38:27 +08:00
committed by GitHub
parent d9bc7935eb
commit 130c0d8487
6 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/webui/webapplication.h
View File

@@ -128,9 +128,11 @@ private:
bool isAuthNeeded();
bool isPublicAPI(const QString &scope, const QString &action) const;
bool isOriginTrustworthy() const;
bool isCrossSiteRequest(const Http::Request &request) const;
bool validateHostHeader(const QStringList &domains) const;
// reverse proxy
QHostAddress resolveClientAddress() const;
// Persistent data