diff options
author | Josh Rickmar <jrick@devio.us> | 2012-07-31 09:55:26 -0400 |
---|---|---|
committer | Josh Rickmar <jrick@devio.us> | 2012-07-31 09:55:26 -0400 |
commit | 0c240f728d489408cda135786cf29244c1cd4d83 (patch) | |
tree | e063f765a1c73d301ec3ad5e8a5904165337a63e /settings.c | |
parent | 02e03fcb67ee3ee37ff7bd5f287a7c53ca55f97e (diff) | |
download | xombrero-0c240f728d489408cda135786cf29244c1cd4d83.tar.gz |
Add a force_https setting (using the same domain syntax as the
whitelist settings) to make all requests to that domain use the HTTPS scheme, similar to HSTS. Install a new file, hsts-preload, into the resource dir. This is a regular config file with a bunch of force_https = ... lines, which is used to implement a preloaded HSTS list. Right now all the domains in this file, except for conformal.com and cyphertite.com, are taken directly from chromium's preloaded HSTS list (and should be synced with this file every so often). Also implement a new setting, preload_strict_transport (enabled by default), to enable or disable the loading of this preloaded HSTS list. Document force_https and preload_strict_transport in the manpage.
Diffstat (limited to 'settings.c')
-rw-r--r-- | settings.c | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/settings.c b/settings.c index 053d145..0850b4e 100644 --- a/settings.c +++ b/settings.c @@ -112,6 +112,7 @@ int warn_cert_changes = 0; int allow_insecure_content = XT_DS_ALLOW_INSECURE_CONTENT; int allow_insecure_scripts = XT_DS_ALLOW_INSECURE_SCRIPTS; int do_not_track = XT_DS_DO_NOT_TRACK; +int preload_strict_transport = XT_DS_PRELOAD_STRICT_TRANSPORT; char *cmd_font_name = NULL; /* these are all set at startup */ char *oops_font_name = NULL; @@ -140,6 +141,7 @@ int add_ua(struct settings *, char *); int add_http_accept(struct settings *, char *); int add_cmd_alias(struct settings *, char *); int add_custom_uri(struct settings *, char *); +int add_force_https(struct settings *, char *); int set_append_next(char *); int set_autofocus_onload(char *); @@ -226,6 +228,8 @@ void walk_cmd_alias(struct settings *, void (*)(struct settings *, char *, void *), void *); void walk_custom_uri(struct settings *, void (*)(struct settings *, char *, void *), void *); +void walk_force_https(struct settings *, void (*)(struct settings *, + char *, void *), void *); int set_http_proxy(char *proxy) @@ -395,6 +399,12 @@ struct special s_userstyle = { NULL }; +struct special s_force_https = { + add_force_https, + NULL, + walk_force_https +}; + struct settings rs[] = { { "allow_insecure_content", XT_S_INT, 0, &allow_insecure_content, NULL, NULL, NULL, set_allow_insecure_content }, { "allow_insecure_scripts", XT_S_INT, 0, &allow_insecure_scripts, NULL, NULL, NULL, set_allow_insecure_scripts }, @@ -442,6 +452,7 @@ struct settings rs[] = { { "max_connections", XT_S_INT, XT_SF_RESTART,&max_connections, NULL, NULL, NULL, NULL }, { "max_host_connections", XT_S_INT, XT_SF_RESTART,&max_host_connections, NULL, NULL, NULL, NULL }, { "oops_font", XT_S_STR, 0, NULL, &oops_font_name, NULL, NULL, set_oops_font }, + { "preload_strict_transport", XT_S_INT, 0, &preload_strict_transport, NULL, NULL, NULL, NULL }, { "read_only_cookies", XT_S_INT, 0, &read_only_cookies, NULL, NULL, NULL, set_read_only_cookies }, { "referer", XT_S_STR, 0, NULL, NULL,&s_referer, NULL, set_referer_rt }, { "refresh_interval", XT_S_INT, 0, &refresh_interval, NULL, NULL, NULL, set_refresh_interval }, @@ -478,6 +489,7 @@ struct settings rs[] = { { "cmd_alias", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_cmd_alias, NULL, NULL }, { "cookie_wl", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_cookie_wl, NULL, NULL }, { "custom_uri", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_uri, NULL, NULL }, + { "force_https", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_force_https, NULL, NULL }, { "http_accept", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_http_accept, NULL, NULL }, { "js_wl", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_js, NULL, NULL }, { "keybinding", XT_S_STR, XT_SF_RUNTIME, NULL, NULL, &s_kb, NULL, NULL }, @@ -1476,6 +1488,14 @@ walk_ua(struct settings *s, } int +add_force_https(struct settings *s, char *value) +{ + wl_add(value, &force_https, + XT_WL_FLAG_HANDY | XT_WL_FLAG_EXCLUDE_SUBDOMAINS); + return (0); +} + +int add_http_accept(struct settings *s, char *value) { struct http_accept *ha; @@ -2582,6 +2602,21 @@ walk_pl_wl(struct settings *s, cb(s, d->d, cb_args); } +void +walk_force_https(struct settings *s, + void (*cb)(struct settings *, char *, void *), void *cb_args) +{ + struct domain *d; + + if (s == NULL || cb == NULL) { + show_oops(NULL, "walk_force_https invalid parameters"); + return; + } + + RB_FOREACH_REVERSE(d, domain_list, &force_https) + cb(s, d->d, cb_args); +} + int settings_add(char *var, char *val) { |