From b3f98de1da11e13dea5c08af4f80520258c120cf Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Tue, 25 Feb 2020 16:13:10 +0100
Subject: plugins/viewhtml: add opt-in query param to load remote resources

Loading remote resources by default has privacy implications.
---
 plugins/viewhtml/plugin.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'plugins/viewhtml/plugin.go')

diff --git a/plugins/viewhtml/plugin.go b/plugins/viewhtml/plugin.go
index b34372f..1007d4a 100644
--- a/plugins/viewhtml/plugin.go
+++ b/plugins/viewhtml/plugin.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"git.sr.ht/~emersion/koushin"
+	koushinbase "git.sr.ht/~emersion/koushin/plugins/base"
 	"github.com/labstack/echo/v4"
 )
 
@@ -20,6 +21,17 @@ var (
 func init() {
 	p := koushin.GoPlugin{Name: "viewhtml"}
 
+	p.Inject("message.html", func(ctx *koushin.Context, _data koushin.RenderData) error {
+		data := _data.(*koushinbase.MessageRenderData)
+		data.Extra["RemoteResourcesAllowed"] = ctx.QueryParam("allow-remote-resources") == "1"
+		hasRemoteResources := false
+		if v := ctx.Get("viewhtml.hasRemoteResources"); v != nil {
+			hasRemoteResources = v.(bool)
+		}
+		data.Extra["HasRemoteResources"] = hasRemoteResources
+		return nil
+	})
+
 	p.GET("/proxy", func(ctx *koushin.Context) error {
 		if !proxyEnabled {
 			return echo.NewHTTPError(http.StatusForbidden, "proxy disabled")
-- 
cgit v1.2.3